Run PowerShell script from ASP.NET

Question

I have been trying out running a PowerShell script from asp.net with no success for a few days already.

The C# is:

using (var process = new Process())
{
  ProcessStartInfo startInfo = new ProcessStartInfo();

  startInfo.FileName = @"powershell.exe";
  startInfo.Arguments = "arguments that call the script here";
  startInfo.RedirectStandardOutput = false;
  startInfo.RedirectStandardError = false;
  startInfo.UseShellExecute = true;
  startInfo.CreateNoWindow = true;

  process.StartInfo = startInfo;
  process.Start();
}

The PowerShell script it calls contains the ff:

robocopy "\\network-server\location" "C:\localfolder" "testmovefile.txt"

Obviously the problem here would be the proper credentials. But I have tried doing all sorts of impersonation stuff, whether from C# or in the script level. I tried doing this to the PowerShell script:

 $username = "domain\user"
  $password = ConvertTo-SecureString –String "password" –AsPlainText -Force
  $pp = new-object -typename System.Management.Automation.PSCredential -argumentlist $username,$password
  start-process powershell -argument "C:\localfolder\CopyFile.ps1" -Credential $pp

It works when I run the script in the PowerShell console locally, even when using an account that has no permissions to the network, however when called from the web app.. nothing happens.

The App Pool Identity is just set to the default App Pool Identity though.. I found out that if I change the identity to a custom account with the proper rights.. it works.

I am still trying to search for a different solution.. I want a scenario that you can just change anything in the script and it will still still run. Any is OK as long as it does not change the app pool identity.

I tried these as well:

http://huddledmasses.org/using-alternate-credentials-with-the-filesystem-in-powershell/
using runspace in c# instead of process and using an impersonator How do you impersonate an Active Directory user in Powershell?

But it still doesn't work. I keep on getting access denied. Question is, is it possible to make it work by impersonating someone inside PowerShell?

"nothing happens.": try using a debugger or logging (or even Process Monitor) to determine how far it gets. Maybe the `process.Start` isn't able to execute anything? — Richard, Jul 13 '12 at 09:01
It works if I run it locally. It also works if I set the App Pool Identity to a custom account. — user1167132, Jul 16 '12 at 01:53
What is the default (original: that was failing) AppPool's identity? — Richard, Jul 16 '12 at 06:43

score 0 · Answer 1 · answered Jul 17 '12 at 08:04

App pool identities have very limited access to the local file system (and none outside the local computer). You will need to modify ACLs on the file system to give the identities the access they need.

In Server 2008 (or Vista) this has to be done with the command line (eg. icacls.exe) as the permissions GUI does not support app pool identity; with later versions this can be done with the GUI.

Process Monitor is a good tool for working out where access is being blocked.

However if you need to access network resources this will not work. App pool identities are purely local, they have no meaning on the network. You need to use a domain account with the applicable access (or multiple local accounts with the same name and password).

Run PowerShell script from ASP.NET

1 Answers1

Linked