Hosted Powershell from C#, permissions questions, impersonated as domain user

Question

I know this is a bit basic, but I'll be eternally grateful if someone could set me straight on this.

• I have a bunch of Windows 2012 R2 servers running Hyper-V.
• An XML-RPC web service runs on these servers. There is some hosted Powershell behind this. It works perfectly.
• The hosted Powershell code runs via impersonation. Again, works great.
• Even though these machines have always been in a domain, XML-RPC authentication has worked like this:

I have used a period (".") for domain. I have used the username "Administrator". I have used a distinct password per 'local' administrator account.

I have recently added clustering functionality to my application, this is just in the form of some of wrappers for Microsoft's Powershell cmdlets, plus my own stuff. If I read the dcos correctly, clustering can only be administered with domain credentials. I want my web service to run under a single set of credentials (to simplify the details the calling application needs to store).

I assumed I would wiggle the authentication model like this:

• Have a domain user for each Hyper-V host.
• Ensure that this user was a member of the local admin and hyper-v administrator groups.
• Add these users to a 'clustered hyper-v hosts' group, give this group "clustering permissions' through the clustering administration tools.

My problems:

• When running the tweaked model my code has exploded and no longer works, lots of authentication errors, I can sit and see things hitting the registry and being denied.
• If I pick a host at random, log on to it with this new domain user (which - to be clear- is a member of the local admin group) and run my code without the xml-rpc wrapper, I seen lots of authentication error. It is as if this user is not running with administrative credentials, even though it has these permissions.
• These users also seem to have restricted clustering permissions, even though they should have full access.
• If I run the 'test-cluster' command, it will tell me I do not have permissions on the host I am running it on.

I am willing to admit I have an broken directory, or genuine access problems here, but perhaps I have an inherent misunderstanding of how this is supposed to work. I am a Linux engineer and programmer, I know a bit of Windows. I am a little confused as how UAC is working in this context, in a domain environment, when I am not logged on as the true administrator account... If I right click a Powershell window and 'run as' administrator, my code all appears to work, even the clustering stuff (which I am lead to believe, through docs, should not run as a local admin).

Am I hitting some kind of elevation issue here? If a domain user has 'effective permissions' (hopefully that term is not confusing things) to do some stuff, does it still have to be elevated in some way?

Thanks very much.

Answer 1

I faced similar issue with runing powershell from imperosnated C# application. I used PowerShell Community Extensions https://pscx.codeplex.com/ to list active privileges inside PowerShell script.

Add this snipet to your PS script:

Import-Module Pscx
Get-Privilege

Let it run with working and non-working credentials, compare those lists of privileges. If you find some privileges disabled (but not missing), try to enable them in such way:

Import-Module Pscx
$setPriv = new-object  Pscx.Interop.TokenPrivilegeCollection
$setPriv.Enable('SeTcbPrivilege')
$setPriv.Enable('SeDebugPrivilege')
Set-Privilege -Privileges $setPriv

Answer 2

Change UAC to the lowest level(Never Notify), reboot and try again.