We're trying to run a set of administrative tasks on the server via a web administration console. The console runs with impersonation as the currently logged-in user, and only administrators on the local machine are allowed to log in. Right now it works for most cases but we're having trouble when running under UAC.
The first issue is a blocker: it seems like admins do not get the "BUILTIN\Administrators" role even if they are an admin on the local box. This can prevent them from even getting into the admin console, since we're using the web.config <allow roles="BUILTIN\Administrators">
notation to specify security. I suspect that the only solutions here are to either run the ASP.NET app as SYSTEM, or to allow more users and do a more granular permissions check in code. Any other ideas? Is there any way to inject an elevation request into the built-in ASP.NET permissions check?
The other problem is that we want to run some commands that require administrator access. The user visiting the site is an administrator, and is correctly impersonated, but when we spawn a process it fails due to lack of administrator privileges. The clear answer is to elevate for the duration of that command. There are solutions that will let me temporarily elevate by impersonating a specific username and password, but I'd prefer not to have to ask the already-validated user for his password. Are there any tricks for elevating the current user?
(I can understand why the ASP.NET team might try to make this hard, so that web pages can't take invisible advantage of an administrator visiting the web site... but surely there must be some way to pro grammatically declare that your code needs full Administrator rights, appropriately warning the IIS admin of its intentions?)
There are a series of answers for Windows Forms apps, such as: http://stackoverflow.com/questions/573086/how-to-elevate-privileges-only-when-required and http://stackoverflow.com/questions/401284/file-exists-returning-false-from-a-network-share but I'm hoping to find one that will work with ASP.NET...
Thanks Steve