{"id":7261,"date":"2007-09-10T18:35:00","date_gmt":"2007-09-10T18:35:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/powershell\/2007\/09\/10\/impersonation-and-hosting-powershell\/"},"modified":"2019-02-18T13:16:32","modified_gmt":"2019-02-18T20:16:32","slug":"impersonation-and-hosting-powershell","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powershell\/impersonation-and-hosting-powershell\/","title":{"rendered":"Impersonation and Hosting PowerShell"},"content":{"rendered":"

Some of you reported that Impersonation doesn\u2019t work while hosting PowerShell in ASP.net applications.  <\/span>The problem occurs when PowerShell’s pipeline is invoked in the following way from an ASP.NET application:<\/font><\/p>\n

         <\/span>WindowsIdentity<\/span> winId = (WindowsIdentity<\/span>)HttpContext<\/span>.Current.User.Identity; <\/span><\/p>\n

 <\/span><\/p>\n

            WindowsImpersonationContext<\/span> ctx = null<\/span>; <\/span><\/p>\n

            try<\/span><\/span><\/p>\n

            {<\/span><\/p>\n

                ctx = winId.Impersonate(); <\/span><\/p>\n

                Runspace<\/span> myRunSpace = RunspaceFactory<\/span>.CreateRunspace();<\/span><\/p>\n

                myRunSpace.Open();<\/span><\/p>\n

                Pipeline<\/span> pipeline = myRunSpace.CreatePipeline(\u201c[System.Security.Principal.WindowsIdentity]::GetCurrent().Name\u201d);<\/span><\/p>\n

                System.Collections.ObjectModel.Collection<\/span><PSObject<\/span>> objectRetVal = pipeline.Invoke();<\/span><\/p>\n

                myRunSpace.Close();<\/span><\/p>\n

                \/\/objectRetVal[0].BaseObject.ToString();<\/span><\/p>\n

 <\/span><\/p>\n

                ctx.Undo();<\/span><\/p>\n

            }<\/span><\/p>\n

 <\/span><\/p>\n

Notice the thread\u2019s identity is changed to impersonate<\/u> CurrentUser identity but the pipeline.Invoke() results show the identity of the current process.  <\/span>This is because pipeline.Invoke() method creates a thread called \u201cPipeline Execution Thread\u201d and the command\/script is executed in this new thread. In .net 2.0, by default the impersonation token does not flow across threads, so \u201cPipeline Execution Thread\u201d doesn\u2019t get the impersonation token of the calling thread. You can configure ASP.Net to flow the impersonation token to newly created threads by using \u201calwaysFlowImpersonationPolicy\u201d and \u201clegacyImpersonationPolicy\u201d configuration elements in aspnet.config file like this:<\/font><\/p>\n

 <\/font><\/p>\n

<configuration><\/font><\/p>\n

                <\/span><runtime><\/font><\/font><\/p>\n

                             <\/span><legacyImpersonationPolicy enabled=\u201dfalse\u201d\/><\/font><\/font><\/p>\n

                             <\/span><alwaysFlowImpersonationPolicy enabled=\u201dtrue\u201d\/><\/font><\/font><\/p>\n

               <\/span><\/runtime><\/font><\/font><\/p>\n

<\/configuration><\/font><\/p>\n

 <\/font><\/p>\n

For more details about impersonation see this article: http:\/\/msdn2.microsoft.com\/en-us\/library\/ms998258.aspx#pagguidelines0001_ifyouneedtoimpersonateconsiderthreadingi<\/a><\/span><\/font><\/font><\/p>\n

<\/span><\/font><\/font> <\/p>\n

<\/p>\n

Thanks<\/font><\/p>\n

Krishna[MSFT]<\/font><\/p>\n

Windows PowerShell Development<\/font><\/p>\n

 <\/font><\/p>\n

This posting is provided \u201cAS IS\u201d and confers no rights or warranties.<\/span><\/font><\/font><\/p>\n

<\/span><\/font><\/font><\/p>\n","protected":false},"excerpt":{"rendered":"

Some of you reported that Impersonation doesn\u2019t work while hosting PowerShell in ASP.net applications.  The problem occurs when PowerShell’s pipeline is invoked in the following way from an ASP.NET application:          WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;               WindowsImpersonationContext ctx = null;             try             {                 ctx = winId.Impersonate();                 Runspace myRunSpace = RunspaceFactory.CreateRunspace();                 myRunSpace.Open();      […]<\/p>\n","protected":false},"author":600,"featured_media":13641,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[98,200],"class_list":["post-7261","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powershell","tag-asp-net","tag-impersonation"],"acf":[],"blog_post_summary":"

Some of you reported that Impersonation doesn\u2019t work while hosting PowerShell in ASP.net applications.  The problem occurs when PowerShell’s pipeline is invoked in the following way from an ASP.NET application:          WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;               WindowsImpersonationContext ctx = null;             try             {                 ctx = winId.Impersonate();                 Runspace myRunSpace = RunspaceFactory.CreateRunspace();                 myRunSpace.Open();      […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/7261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/users\/600"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/comments?post=7261"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/7261\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media\/13641"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media?parent=7261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/categories?post=7261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/tags?post=7261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}