Search code examples
powershellapplication-pooliis-10windows-server-2019

Running a powershell script from a application pool user elevated priv

I have a specific scenario that's troubling me was hoping for some insight from the community.

I'm trying to run an add HTTPS binding & link to certificate PowerShell script via a web-application that is running on it's own application pool identity.

The PowerShell script requires elevated privilege's so it fails to run successfully and only gets to the bindings part but not the linking of the SSL certificate.

I cannot call to run a saved script file with my code because the bindings are dynamically generated on the fly and require the web-application to replace the token that holds the binding.

How can I successfully run the script below if it's ran via the web-application that is currently running it's application pool identity user? I've tried encompassing my script with an elevation tag but that fires a new elevated separate PowerShell window that doesn't work for me as this is all happening automatically without a user.

New-WebBinding -name "example.domain" -IPAddress "XXX.XXX.XXX.XXX" -Protocol https -HostHeader [DynamicallyLoadedViaWebApplication] -Port 443 -SslFlags 1
$siteName = 'example.domain'
$Cert = (get-item cert:"\LocalMachine\WebHosting\THUMBPRINTHERE")
$binding = Get-WebBinding -Name $siteName -Protocol "https"
$binding.AddSslCertificate($Cert.GetCertHashString(), "WebHosting")

I've tried shutting UAC off via the registry but that didn't help. The script above must be ran via the web-application with high enough privilege's to complete successfully

UPDATE:

Being that the 1st script to fire is done so via the application pool identity and not an administrator account is this method viable? I can eventually try switching the application pool user to an administrator but I'd like to avoid that if possible. Or any other ideas on how to do the binding via the application pool user?

Solution

  • Save this somewhere the user account has access to. For this example I'll call it sslscript.ps1 and save it to c:\temp

    @'
Param($data)
Start-Process powershell -ArgumentList @"
New-WebBinding -name "example.domain" -IPAddress "XXX.XXX.XXX.XXX" -Protocol https -HostHeader $data -Port 443 -SslFlags 1
$siteName = 'example.domain'
$Cert = (get-item cert:"\LocalMachine\WebHosting\THUMBPRINTHERE")
$binding = Get-WebBinding -Name $siteName -Protocol "https"
$binding.AddSslCertificate($Cert.GetCertHashString(), "WebHosting")
"@ -Verb runas
'@ | Set-Content c:\temp\sslscript.ps1 -Encoding UTF8

    Call it from your application like this

    c:\temp\sslscript.ps1 [DynamicallyLoadedViaWebApplication]

    Here's a small test you can run as a proof of concept. This will invoke UAC so that may be the only issue I can foresee. If this turns out to be an issue then perhaps you can save the dynamically created info to a file and then run a scheduled task as admin and have it grab the info.

    @'
    Param($data)
    Start-Process powershell -ArgumentList @"
    write-host Argument passed in: $data -foregroundcolor cyan
    `$isadmin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match 'S-1-5-32-544')
    if(`$isadmin)
    {
        write-host script is 'running as admin' -foregroundcolor green
    }
    else
    {
        write-host script is not 'running as admin' -foregroundcolor red
    }
    pause
"@ -Verb runas
'@ | Set-Content c:\temp\testscript.ps1 -Encoding UTF8

C:\temp\testscript.ps1 "passing in some data"

    Output should look like enter image description here