Process.Start() under asp.net?

Question

According to msdn :

ASP.NET Web page and server control code executes in the context of the ASP.NET worker process on the Web server. If you use th

Answer 1

I believe the MSDN entry refers to the fact that even if impersonation is enabled and you're under a specific user context, the new process will be spawned by the process - and impersonation occurs at thread level. That said, i do believe it would run under the 'UserA' context.

Here's the pertinent KB entry:

http://support.microsoft.com/kb/889251

Notice that the same entry describes how to use CreateProcessAsUser to allow for impersonation.

Answer 2

Impersonation won't come into play here, since under the hood, Process.Start is relying on one of two native Win32 calls:

If ProcessStartInfo.UserName is provided:

CreateProcessWithLogonW(startInfo.UserName, startInfo.Domain, ...)

CreateProcessWithLogonW

And if not:

CreateProcess(null, cmdLine, null, null, true, ...)

CreateProcess

The nulls passed into CreateProcess are what's probably biting you; from MSDN:

The lpSecurityDescriptor member of the structure specifies a security descriptor for the main thread. If lpThreadAttributes is NULL or lpSecurityDescriptor is NULL, the thread gets a default security descriptor. The ACLs in the default security descriptor for a thread come from the process token.

Note it says from process token, not calling thread - the impersonated identity doesn't get a chance to join the party since it's bound to the thread.

Answer 3

As I found out when trying to solve this problem, lots of little things are different. It may run under RoyiN, but you may find that USERPROFILE is set to C:\Windows\system32\config\systemprofile, and not your /Users/RoyiN folder.

Depending on what you're trying to do, that can cause some problems. In my case, starting a git process would hang forever. Not only were USERPROFILE and HOME wrong, I also found out that impersonated users do not play well with mapped network drives.