Last post Sep 14, 2015 02:55 AM by Weibo Zhang
Sep 12, 2015 04:14 PM|Swift_gti|LINK
I'm currently developing my first ASP.Net site, which is a single page site that will be intranet published to allow end users to carry out VMM functions by running Powershell commands on a backend that will connect to VMM.
I need to use the calling users credentials to carry out some of the powershell commands so that the VMM connection runs in the context of that user (and in turn they only get the relevant VM access)
However I also need to run some functions as the app pool identity so carry out some things the end user account does not have permission to do.
Everything seemed to work great, until I tested it with multiple users - see the scenario below;
UserA - No VMM account
UserB - Has VMM access
I have checked the user context before and after impersonation using; System.Security.Principal.WindowsIdentity.GetCurrent().Name, and also from within a Powershell command that is launched in the calling users context - everything looks as expected, App
Pool id before impersonation and the calling user after and in the Powershell command.
I'm not sure if this is an IIS configuration issue or something in my code - I've spent nearly two days fiddling around and haven't made any progress, I'm currently at a loss...
I can't share the entire code I'm using as it is on an isolated machine, but for some context I am doing the following;
// This Returns the App Pool UserID
// This Returns the Calling Users ID
// Create Powershell Runspace
Runspace runspace = RunspaceFactory.CreateRunspace();
// Create pipeline and add commands
Pipeline pipeline = runspace.CreatePipeline();
pipeline.Commands.AddScript("Get-SCVirtualMachine -VMMServer 'VMMSrv01.lab');
// Execute Script
Collection<PSObject> results = new Collection<PSObject>();
results = pipeline.Invoke();
catch (Exception ex)
// Close runspace
// Stop Impersonation
In the real code I've tried to go through everything and make sure I close / dispose everything to ensure I can't be re-used, but I assume that each user connecting get their own instance spun up within the app pool anyway?
If anyone has any ideas I'd be glad to hear them, as I'm under pressure to get this working, and currently am just banging my head against a brick wall!
Sep 14, 2015 02:55 AM|Weibo Zhang|LINK
Could you show something about how to store the current calling user name and how to verify login? Maybe the issue point is at the validating and storing login information. You could try to debug the code about the login and find out whether there are some
codes cause the login information sharing. In IIS setting, you’d better disable the anonymous logon. Besides, if you want to get the current login user name, you could try to use “System.Web.HttpContext.Current.User.Identity.Name” to get it. There are some
differences between the “WindowsIdentity.GetCurrent()” and “HttpContext.Current.User”. For more information, you could take a look at the following thread.
I hope it’s useful to you.