Run process as another user

  • Thread starter Thread starter Sorin Dolha [MCSD .NET]
  • Start date Start date
S

Sorin Dolha [MCSD .NET]

I would like to start a process from C# code as another user. The C# code is executed as the ASPNET user because it relies in a Web Page class, and I would like that the process will run as another user to gain the required rights for execution (the external process needs to create a mailbox in Exchange, so it needs to be run as an Exchange Full Administrator-powered user).

For the moment, I have tries using the Start() static method of the Process class (from .NET Framework) to start the new process. However, this way, I cannot impersonate the new process as another user. Therefore I tried to impersonate the execution of the C# web page code by using <identity impersonate="true" userName="..."... /> in the Web.config configuration file of the web site. However, the new process still starts as ASPNET.

To test and dig more, I have tried to configure the <processModel> in my machine.config to impersonate the whole execution of the ASP .NET processes, but the new process (and also aspnet_wp.exe) are still running as the ASPNET (machine) user (that's what TaskManager shows in the Processes tab).

So, I couldn't solve the problem yet and it looks like I will need to dig some more about this, but before doing so, I wanted to ask if anyone else from here has already had this problem, and what was the resolution or work-around he or she found. Any other advice would be very appreciated.

Thank you very much,
 
What I would try next would be to interoperate with Windows API's StartProcess() function, which, in a second version, starts a new process using a specified user identity context.

Should I try this "hard" method or is there any other simple way (which I haven't found yet) to do so?

Thank you again,

--
Sorin Dolha [MCAD, MCSD .NET]
I would like to start a process from C# code as another user. The C# code is executed as the ASPNET user because it relies in a Web Page class, and I would like that the process will run as another user to gain the required rights for execution (the external process needs to create a mailbox in Exchange, so it needs to be run as an Exchange Full Administrator-powered user).

For the moment, I have tries using the Start() static method of the Process class (from .NET Framework) to start the new process. However, this way, I cannot impersonate the new process as another user. Therefore I tried to impersonate the execution of the C# web page code by using <identity impersonate="true" userName="..."... /> in the Web.config configuration file of the web site. However, the new process still starts as ASPNET.

To test and dig more, I have tried to configure the <processModel> in my machine.config to impersonate the whole execution of the ASP .NET processes, but the new process (and also aspnet_wp.exe) are still running as the ASPNET (machine) user (that's what TaskManager shows in the Processes tab).

So, I couldn't solve the problem yet and it looks like I will need to dig some more about this, but before doing so, I wanted to ask if anyone else from here has already had this problem, and what was the resolution or work-around he or she found. Any other advice would be very appreciated.

Thank you very much,
 
Hi Sorin,

I guess you are stuck with interop.
See article Secondary Login from C# by Keith Brown
http://www.develop.com/technology/resourcedetail.aspx?id=aa44a1e0-cdb5-454b-9368-ca95edc5730b

--
Miha Markic [MVP C#] - RightHand .NET consulting & software development
miha at rthand com
www.rthand.com

What I would try next would be to interoperate with Windows API's
StartProcess() function, which, in a second version, starts a new process
using a specified user identity context.

Should I try this "hard" method or is there any other simple way (which I
haven't found yet) to do so?

Thank you again,

--
Sorin Dolha [MCAD, MCSD .NET]
I would like to start a process from C# code as another user. The C# code is
executed as the ASPNET user because it relies in a Web Page class, and I
would like that the process will run as another user to gain the required
rights for execution (the external process needs to create a mailbox in
Exchange, so it needs to be run as an Exchange Full Administrator-powered
user).

For the moment, I have tries using the Start() static method of the Process
class (from .NET Framework) to start the new process. However, this way, I
cannot impersonate the new process as another user. Therefore I tried to
impersonate the execution of the C# web page code by using <identity
impersonate="true" userName="..."... /> in the Web.config configuration file
of the web site. However, the new process still starts as ASPNET.

To test and dig more, I have tried to configure the <processModel> in my
machine.config to impersonate the whole execution of the ASP .NET processes,
but the new process (and also aspnet_wp.exe) are still running as the ASPNET
(machine) user (that's what TaskManager shows in the Processes tab).

So, I couldn't solve the problem yet and it looks like I will need to dig
some more about this, but before doing so, I wanted to ask if anyone else
from here has already had this problem, and what was the resolution or
work-around he or she found. Any other advice would be very appreciated.

Thank you very much,
 
Thank you very much, Miha.

--
Sorin Dolha [MCAD, MCSD .NET]
"Miha Markic [MVP C#]" <miha at rthand com> wrote in message Hi Sorin,

I guess you are stuck with interop.
See article Secondary Login from C# by Keith Brown
http://www.develop.com/technology/resourcedetail.aspx?id=aa44a1e0-cdb5-454b-9368-ca95edc5730b

--
Miha Markic [MVP C#] - RightHand .NET consulting & software development
miha at rthand com
www.rthand.com

What I would try next would be to interoperate with Windows API's
StartProcess() function, which, in a second version, starts a new process
using a specified user identity context.

Should I try this "hard" method or is there any other simple way (which I
haven't found yet) to do so?

Thank you again,

--
Sorin Dolha [MCAD, MCSD .NET]
I would like to start a process from C# code as another user. The C# code is
executed as the ASPNET user because it relies in a Web Page class, and I
would like that the process will run as another user to gain the required
rights for execution (the external process needs to create a mailbox in
Exchange, so it needs to be run as an Exchange Full Administrator-powered
user).

For the moment, I have tries using the Start() static method of the Process
class (from .NET Framework) to start the new process. However, this way, I
cannot impersonate the new process as another user. Therefore I tried to
impersonate the execution of the C# web page code by using <identity
impersonate="true" userName="..."... /> in the Web.config configuration file
of the web site. However, the new process still starts as ASPNET.

To test and dig more, I have tried to configure the <processModel> in my
machine.config to impersonate the whole execution of the ASP .NET processes,
but the new process (and also aspnet_wp.exe) are still running as the ASPNET
(machine) user (that's what TaskManager shows in the Processes tab).

So, I couldn't solve the problem yet and it looks like I will need to dig
some more about this, but before doing so, I wanted to ask if anyone else
from here has already had this problem, and what was the resolution or
work-around he or she found. Any other advice would be very appreciated.

Thank you very much,
 
This one's directly from msdn:(watch for wrap)

http://msdn.microsoft.com/library/d...cipalWindowsIdentityClassImpersonateTopic.asp

Krishnan

Thank you very much, Miha.

--
Sorin Dolha [MCAD, MCSD .NET]
"Miha Markic [MVP C#]" <miha at rthand com> wrote in message Hi Sorin,

I guess you are stuck with interop.
See article Secondary Login from C# by Keith Brown
http://www.develop.com/technology/resourcedetail.aspx?id=aa44a1e0-cdb5-454b-9368-ca95edc5730b

--
Miha Markic [MVP C#] - RightHand .NET consulting & software development
miha at rthand com
www.rthand.com

What I would try next would be to interoperate with Windows API's
StartProcess() function, which, in a second version, starts a new process
using a specified user identity context.

Should I try this "hard" method or is there any other simple way (which I
haven't found yet) to do so?

Thank you again,

--
Sorin Dolha [MCAD, MCSD .NET]
I would like to start a process from C# code as another user. The C# code is
executed as the ASPNET user because it relies in a Web Page class, and I
would like that the process will run as another user to gain the required
rights for execution (the external process needs to create a mailbox in
Exchange, so it needs to be run as an Exchange Full Administrator-powered
user).

For the moment, I have tries using the Start() static method of the Process
class (from .NET Framework) to start the new process. However, this way, I
cannot impersonate the new process as another user. Therefore I tried to
impersonate the execution of the C# web page code by using <identity
impersonate="true" userName="..."... /> in the Web.config configuration file
of the web site. However, the new process still starts as ASPNET.

To test and dig more, I have tried to configure the <processModel> in my
machine.config to impersonate the whole execution of the ASP .NET processes,
but the new process (and also aspnet_wp.exe) are still running as the ASPNET
(machine) user (that's what TaskManager shows in the Processes tab).

So, I couldn't solve the problem yet and it looks like I will need to dig
some more about this, but before doing so, I wanted to ask if anyone else
from here has already had this problem, and what was the resolution or
work-around he or she found. Any other advice would be very appreciated.

Thank you very much,
 
Krishnan, thank you very much, but I've already used the other sample.

The solution works great when the user who runs the sample code is a "standard" user, but when I try to start the external process from an ASP .NET web page's class (from ASP .NET's internal process) the external process starts (shows up in the Task Manager correctly, running under the correct established user), but it seems to be in a "suspended" state, as no code from the external process is actually executed, and it never ends. The sample code runs ok when I run it from a Windows-based application.

I guess that this new problem occurs because the ASP .NET process does not have an associated desktop, or something like this (I think that this setting is inherited in the new process); however, the external process does not create any window, so, on the other hand, this shouldn't be a problem...

If anyone knows what's the real cause of the problem and/or can help me out with any advice, I will appreciate it very much.

Thank you,

--
Sorin Dolha [MCAD, MCSD .NET]
This one's directly from msdn:(watch for wrap)

http://msdn.microsoft.com/library/d...cipalWindowsIdentityClassImpersonateTopic.asp

Krishnan

Thank you very much, Miha.

--
Sorin Dolha [MCAD, MCSD .NET]
"Miha Markic [MVP C#]" <miha at rthand com> wrote in message Hi Sorin,

I guess you are stuck with interop.
See article Secondary Login from C# by Keith Brown
http://www.develop.com/technology/resourcedetail.aspx?id=aa44a1e0-cdb5-454b-9368-ca95edc5730b

--
Miha Markic [MVP C#] - RightHand .NET consulting & software development
miha at rthand com
www.rthand.com

What I would try next would be to interoperate with Windows API's
StartProcess() function, which, in a second version, starts a new process
using a specified user identity context.

Should I try this "hard" method or is there any other simple way (which I
haven't found yet) to do so?

Thank you again,

--
Sorin Dolha [MCAD, MCSD .NET]
I would like to start a process from C# code as another user. The C# code is
executed as the ASPNET user because it relies in a Web Page class, and I
would like that the process will run as another user to gain the required
rights for execution (the external process needs to create a mailbox in
Exchange, so it needs to be run as an Exchange Full Administrator-powered
user).

For the moment, I have tries using the Start() static method of the Process
class (from .NET Framework) to start the new process. However, this way, I
cannot impersonate the new process as another user. Therefore I tried to
impersonate the execution of the C# web page code by using <identity
impersonate="true" userName="..."... /> in the Web.config configuration file
of the web site. However, the new process still starts as ASPNET.

To test and dig more, I have tried to configure the <processModel> in my
machine.config to impersonate the whole execution of the ASP .NET processes,
but the new process (and also aspnet_wp.exe) are still running as the ASPNET
(machine) user (that's what TaskManager shows in the Processes tab).

So, I couldn't solve the problem yet and it looks like I will need to dig
some more about this, but before doing so, I wanted to ask if anyone else
from here has already had this problem, and what was the resolution or
work-around he or she found. Any other advice would be very appreciated.

Thank you very much,
 
Krishnan,

I've looked into the MSDN sample code for Impersonation and I wanted to state that I have already tried code impersonating (I've already saw and tested this sample code), but this code only sets up a new user for currently executing code in the current process only (for example, if the code in the process tries to access a file, the user who is accessing the file is the impersonated user). However, if I try to start a new process using Process.Start() from inside the code, during active impersonation, the external process does not start as running on the impersonated user, but instead is run under the same account which originally started the sample code. Therefore, I think that this is not the correct solution for my problem.

To better visualize why this code doesn't solve my problem, I'll provide a step-by-step execution diagram below:
a.. User1 starts sample code process
b.. Sample code process is impersonated to User2
c.. Sample code process can access a file as it would be User2
d.. Sample code process uses Process.Start() to run a second process while it still is impersonated to User2: however, second process starts under User1!
--
Sorin Dolha [MCAD, MCSD .NET]
This one's directly from msdn:(watch for wrap)

http://msdn.microsoft.com/library/d...cipalWindowsIdentityClassImpersonateTopic.asp

Krishnan

Thank you very much, Miha.

--
Sorin Dolha [MCAD, MCSD .NET]
"Miha Markic [MVP C#]" <miha at rthand com> wrote in message Hi Sorin,

I guess you are stuck with interop.
See article Secondary Login from C# by Keith Brown
http://www.develop.com/technology/resourcedetail.aspx?id=aa44a1e0-cdb5-454b-9368-ca95edc5730b

--
Miha Markic [MVP C#] - RightHand .NET consulting & software development
miha at rthand com
www.rthand.com

What I would try next would be to interoperate with Windows API's
StartProcess() function, which, in a second version, starts a new process
using a specified user identity context.

Should I try this "hard" method or is there any other simple way (which I
haven't found yet) to do so?

Thank you again,

--
Sorin Dolha [MCAD, MCSD .NET]
I would like to start a process from C# code as another user. The C# code is
executed as the ASPNET user because it relies in a Web Page class, and I
would like that the process will run as another user to gain the required
rights for execution (the external process needs to create a mailbox in
Exchange, so it needs to be run as an Exchange Full Administrator-powered
user).

For the moment, I have tries using the Start() static method of the Process
class (from .NET Framework) to start the new process. However, this way, I
cannot impersonate the new process as another user. Therefore I tried to
impersonate the execution of the C# web page code by using <identity
impersonate="true" userName="..."... /> in the Web.config configuration file
of the web site. However, the new process still starts as ASPNET.

To test and dig more, I have tried to configure the <processModel> in my
machine.config to impersonate the whole execution of the ASP .NET processes,
but the new process (and also aspnet_wp.exe) are still running as the ASPNET
(machine) user (that's what TaskManager shows in the Processes tab).

So, I couldn't solve the problem yet and it looks like I will need to dig
some more about this, but before doing so, I wanted to ask if anyone else
from here has already had this problem, and what was the resolution or
work-around he or she found. Any other advice would be very appreciated.

Thank you very much,
 
Are you sure the other process doesn't create a window? Are you sure it doesn't need a window, like most if not all the ActiveX components or STA type COM servers?

Willy.

Krishnan, thank you very much, but I've already used the other sample.

The solution works great when the user who runs the sample code is a "standard" user, but when I try to start the external process from an ASP .NET web page's class (from ASP .NET's internal process) the external process starts (shows up in the Task Manager correctly, running under the correct established user), but it seems to be in a "suspended" state, as no code from the external process is actually executed, and it never ends. The sample code runs ok when I run it from a Windows-based application.

I guess that this new problem occurs because the ASP .NET process does not have an associated desktop, or something like this (I think that this setting is inherited in the new process); however, the external process does not create any window, so, on the other hand, this shouldn't be a problem...

If anyone knows what's the real cause of the problem and/or can help me out with any advice, I will appreciate it very much.

Thank you,
 
Krishnan,

I've looked into the MSDN sample code for Impersonation and I wanted to state that I have already tried code impersonating (I've already saw and tested this sample code), but this code only sets up a new user for currently executing code in the current process only (for example, if the code in the process tries to access a file, the user who is accessing the file is the impersonated user). However, if I try to start a new process using Process.Start() from inside the code, during active impersonation, the external process does not start as running on the impersonated user, but instead is run under the same account which originally started the sample code. Therefore, I think that this is not the correct solution for my problem.

To better visualize why this code doesn't solve my problem, I'll provide a step-by-step execution diagram below:
a.. User1 starts sample code process
b.. Sample code process is impersonated to User2
c.. Sample code process can access a file as it would be User2
d.. Sample code process uses Process.Start() to run a second process while it still is impersonated to User2: however, second process starts under User1!
This behavior is by design, the child process takes the calling process token, not the impersonation token of the calling thread, or in other words, the new process runs in the security context of the calling process.

Willy.
 
Never mind about the second problem, I have found that the second problem was relying in the way I passed the application executable and command line to the CreateProcess API function. My mistake was that I didn't re-include the application executable file name as the first argument in command line.

I though it was logical to set the application executable file name as the application parameter, and to only set the arguments list in the command line parameter for the API function, but this seems to be wrong, and the process didn't get the correct arguments, therefore shown a messagebox in an invisible deskop inherited from ASP .NET's process... Whew, that was tough!

I appologize for asking about the second problem here and for the time I may have consumed from your thoughts. It was clearly stated in MSDN (as a recommendation only, but hey, we should do it the way they recommend :-)):

If both lpApplicationName and lpCommandLine are non-NULL, *lpApplicationName specifies the module to execute, and *lpCommandLine specifies the command line. The new process can use GetCommandLine to retrieve the entire command line. C runtime processes can use the argc and argv arguments. Note that it is a common practice to repeat the module name as the first token in the command line.

But I din't read it throughtly in the first place, I guess... Sorry again. I hope that this can help other people too.

--
Sorin Dolha [MCAD, MCSD .NET]

Krishnan, thank you very much, but I've already used the other sample.

The solution works great when the user who runs the sample code is a "standard" user, but when I try to start the external process from an ASP .NET web page's class (from ASP .NET's internal process) the external process starts (shows up in the Task Manager correctly, running under the correct established user), but it seems to be in a "suspended" state, as no code from the external process is actually executed, and it never ends. The sample code runs ok when I run it from a Windows-based application.

I guess that this new problem occurs because the ASP .NET process does not have an associated desktop, or something like this (I think that this setting is inherited in the new process); however, the external process does not create any window, so, on the other hand, this shouldn't be a problem...

If anyone knows what's the real cause of the problem and/or can help me out with any advice, I will appreciate it very much.

Thank you,

--
Sorin Dolha [MCAD, MCSD .NET]
This one's directly from msdn:(watch for wrap)

http://msdn.microsoft.com/library/d...cipalWindowsIdentityClassImpersonateTopic.asp

Krishnan

Thank you very much, Miha.

--
Sorin Dolha [MCAD, MCSD .NET]
"Miha Markic [MVP C#]" <miha at rthand com> wrote in message Hi Sorin,

I guess you are stuck with interop.
See article Secondary Login from C# by Keith Brown
http://www.develop.com/technology/resourcedetail.aspx?id=aa44a1e0-cdb5-454b-9368-ca95edc5730b

--
Miha Markic [MVP C#] - RightHand .NET consulting & software development
miha at rthand com
www.rthand.com

What I would try next would be to interoperate with Windows API's
StartProcess() function, which, in a second version, starts a new process
using a specified user identity context.

Should I try this "hard" method or is there any other simple way (which I
haven't found yet) to do so?

Thank you again,

--
Sorin Dolha [MCAD, MCSD .NET]
I would like to start a process from C# code as another user. The C# code is
executed as the ASPNET user because it relies in a Web Page class, and I
would like that the process will run as another user to gain the required
rights for execution (the external process needs to create a mailbox in
Exchange, so it needs to be run as an Exchange Full Administrator-powered
user).

For the moment, I have tries using the Start() static method of the Process
class (from .NET Framework) to start the new process. However, this way, I
cannot impersonate the new process as another user. Therefore I tried to
impersonate the execution of the C# web page code by using <identity
impersonate="true" userName="..."... /> in the Web.config configuration file
of the web site. However, the new process still starts as ASPNET.

To test and dig more, I have tried to configure the <processModel> in my
machine.config to impersonate the whole execution of the ASP ..NET processes,
but the new process (and also aspnet_wp.exe) are still running as the ASPNET
(machine) user (that's what TaskManager shows in the Processes tab).

So, I couldn't solve the problem yet and it looks like I will need to dig
some more about this, but before doing so, I wanted to ask if anyone else
from here has already had this problem, and what was the resolution or
work-around he or she found. Any other advice would be very appreciated.

Thank you very much,
 
That's ok with me, I just wanted to explained to Krishnan why I couldn't use his or her solution.

--
Sorin Dolha [MCAD, MCSD .NET]

Krishnan,

I've looked into the MSDN sample code for Impersonation and I wanted to state that I have already tried code impersonating (I've already saw and tested this sample code), but this code only sets up a new user for currently executing code in the current process only (for example, if the code in the process tries to access a file, the user who is accessing the file is the impersonated user). However, if I try to start a new process using Process.Start() from inside the code, during active impersonation, the external process does not start as running on the impersonated user, but instead is run under the same account which originally started the sample code. Therefore, I think that this is not the correct solution for my problem.

To better visualize why this code doesn't solve my problem, I'll provide a step-by-step execution diagram below:
a.. User1 starts sample code process
b.. Sample code process is impersonated to User2
c.. Sample code process can access a file as it would be User2
d.. Sample code process uses Process.Start() to run a second process while it still is impersonated to User2: however, second process starts under User1!
This behavior is by design, the child process takes the calling process token, not the impersonation token of the calling thread, or in other words, the new process runs in the security context of the calling process.

Willy.
 
Back
Top