Product: PowerShell Universal
Version: 1.4.6
We’re running PowerShell Universal in IIS using the Local Ssystem account for the App Pool Identity. Seems to be running well. We’ve added some PS Credentials as Secret variables for run as, but the scripts appear to always run as Local System.
Is there anything missing from the documentation that might be needed to allow run as to work as intended? Not sure where to take it from here.
Thanks!
Hi,
receiving only the system account in output as well under 2.4.0, when trying to run a script
$env:USERNAME
with different credentials in Run As. Is there some issue or am I missing something? I’ve assigned ‘Log on as a batch job’ permissions.
Kind regards,
zweailltienrger
Can you verify that you aren’t using the integrated environment? It doesn’t support elevating to other credentials.
I configured IIS application pool to LocalSystem. Is this what you’re talking about integrated environment?
I’m referring to the environment configuration in PSU itself. When you run scripts, you should have the option to select the environment. Try selecting Windows PowerShell instead of leaving it at default.
In the integrated and default environment the script fails instantly with the error:
Error executing job: The integrated environment does not support Run As credentials.
In the environment Windows PowerShell 5.1 I have the described problem.
Ah, ok. I’m glad we added that error at least. It used to not do that.
As for the original problem…let me run through and validate this again to make sure nothing is busted on my end and I’ll provide some additional debugging steps.
@zweailltienrger - We found that $env:USERNAME was giving us a false positive in determining whether runas was working. Try running a test script to return the output of the following command when running as a separate account:
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
We found that even though $env:USERNAME was returning the system account, the actual principal that was running the script (returned by the command above) was the designated runas user.
We did find that the runas accounts had to be added as users on the server where PSU was running in IIS for the runas functionality to work. We also had to go back and make sure any modules were installed for All Users - runas accounts did not appear to be able to install modules correctly (but we didn’t put a ton of time in on that issue).
Thank you very much, I can confirm with
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
I get the name of the runas account. User is a member of local users on IIS with PSU instance and modules are installed for all users so that seems fine for me. I think I found an issue when authenticating via Kerberos, but I’ll try with another application and will update afterwards.