All geek questions in one place

ASP.Net application running powershell scripts like IIS_USR

I am creating an asp.net mvc application that will work as a wrapper for a number of powershell scripts that we have written to manage everyday tasks (with the ultimate goal of making scripting easier for non-technical people).

I managed to get scripts to execute beautifully:

var ctx = System.Web.HttpContext.Current; var file = ctx.Server.MapPath("~/Content/Powershell/psStoreLive.ps1"); #activate a store var shell = PowerShell.Create(); shell.AddCommand(file); shell.AddArgument(o.DBName); # which store should we activate var results = shell.Invoke(); # and then process the results....display output of script

The problem is that the scripts are executed as IIS_USR (or similar).

I need to find a way to get the IIS server to execute scripts as the current logged-in user (using Windows authentication ( <authentication mode="Windows" /> ).

I saw http://stackoverflow.com/questions/10837377/loginview-and-passing-credentials-to-powershell , and although it seems like this might work, this idea does not suit me.

It seems to me that I should do this with some C # code, as in the code block above, but I couldn’t change anything with the help of my searches that do this.

How to create a powershell environment in C # that will run as a registered user (I would even agree to re-request credentials if necessary)

thanks

Change 1

I looked at the PSCredential object and it seems correct, but I still cannot figure out how I can connect it to the session as a whole (a lot of information about using it as a parameter for a cmdlet requiring credentials)

+6
source share
2 answers

I have an ASP.NET site that needs permissions on a shared resource to run EXE and .BAT files.

This example uses the application pool and local account, you can also use the domain account.

  • Create a local account on the server (make it an administrator on the server)
  • Give this account full rights to the folder where the powershell script file is located.
  • Create a new IIS pool and set up an account for this local account
  • Modify your site in IIS to use this new pool.
0
source

Although you could do this, the security implications are not very pleasant.

For a similar requirement, we created a service layer that processes incoming requests to run a script or command and saves them for the client to pull them out of the queue and execute them.

The client can be either a Windows service or just a script running on a machine.

There is a very good reason that a web application does not have access to local resources on the computer or network where it works.

If you still want to do this, just configure the application pool to use a different identifier, as suggested above.

0
source

Source: https://habr.com/ru/post/977503/

More articles:


All Articles