views:

13

answers:

1

I've written an ASP.NET 2.0 web service which is consumed by a web application which goes out and gets configuration data back from newly built win2k3 servers in a large enterprise. I am using kerberos delegation and impersonation to pass through the users domain admin rights to interrogate the server which has just been built. The web pool identity (IIS 6.0) runs under a low priviledge service account. I have all the delegation part working ok.

The problem I am having is that I want to programmatically kick off a process which executes a cmd line executable and redirects the output, all under the context of the user who's being impersonated. I understand that the process will be external to the impersonated thread, so will end up running under the worker process identity, which is why I'm getting an "access is denied" message.

I've been reading about the CreateProcessAsUser and createprocesswithlogonw API functions but all I've seen is examples where people specifically state the username and password in their code. This is not something I can do as the environment is very secure, so what I need to do is seamlessly get the identity of the impersonated user, and some how feed that into a function which will create the process under the correct domain admins identity and feed back out the StdOuput.

Is this something that can be achieved, and if so, how?

A: 

CreateProcessAsUser takes in a Token. Not a user name and password. No doubt the samples used LogonUser, with a username and password to get the token.

You however don't need that. If you're using impersonation that you've got a WindowsIdenity. Just use the token property on the WindowsIdentity

Conrad Frix