Packaged exe generates error when configured to impersonate or runas different user

This forum can be browsed by the general public. Posting is limited to current SAPIEN license holders with active maintenance and does not offer a response time guarantee.
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
User avatar
whiggs2
Posts: 38
Joined: Sat Sep 23, 2017 11:59 pm

Packaged exe generates error when configured to impersonate or runas different user

Post by whiggs2 »

To help you better we need some information from you.

*** Please fill in the fields below. If you leave fields empty or specify 'latest' rather than the actual version your answer will be delayed as we will be forced to ask you for this information. ***

Product, version and build:SAPIEN PowerShell Studio 2018 Version 5.5.148
32 or 64 bit version of product: 64-bit
Operating system: Windows 10 Enterprise
Version 1709
OS Build 16299.98
32 or 64 bit OS: 64-bit

Ok. I am having issues when attempting to run a package that has been configured to impersonate a different user (I have tried both impersonate and run as, but I want impersonate). Apparently, I am not the only one to have issues with this either, as I have read numerous posts in the forum about how this feature has failed to work, but of the posts I read, the solution either does not work for me, cannot be done, or had no resolution. For example, the below post explains how powershell studio, when used in a domain environment, needs to be using an account with domain administrator permissions in order for the feature to work successfully, and there was no resolution for this issue as well:
viewtopic.php?t=7380
Unfortunately, I don't have domain administrator permissions for my account, so that is not an acceptable solution. Tried moving the project folder to a directory outside the user profile folder (even tried copying to a freaking file share), tried deploying it, tried give the "limited" user account (on the test vm I spun up to just to test this non-functional feature) full permissions to the directory containing the executable, tried running it locally on the test vm, tried running it locally outside the user profile folder on the test vm, in fact, any possible combination of ways that you can imagine an executable can be run, I TRIED IT, and I am displeased to report that nothing worked. Of course, the second I change the configuration of the package to run as the current user, works beautifully, up until it needs the permissions of the account I had originally configured the package to impersonate of course. Depending on where the executable is launched from, it gives me one of two error messages:
Image
or
Image
As for the second image, I should go ahead and let you know that the package is configured so that the manifest prompts for elevation when launched already, and I have even right clicked it and selected "Run as administrator" from the context menu, doesn't change a thing. From the looks of the posts, this has been a problem since, from what I see, 2014, so do we have any solutions?

*** Please add details and screenshots as needed below. ***

DO NOT POST SUBSCRIPTIONS, KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM

User avatar
Alexander Riedel
Posts: 7467
Joined: Tue May 29, 2007 4:43 pm

Re: Packaged exe generates error when configured to impersonate or runas different user

Post by Alexander Riedel »

The error messages you see are what is reported by the underlying operating system.
The first error generally indicates an attempt to use RunAs from a folder that is not accessible to the supplied user and the second one is pretty clear. What you try to do requires elevation. What I don’t know is what in that particular case you specified as options.
I understand that you searched this forum fo solutions and could not find any that fit your situation. Generally when you see no resolution in a post it is because the user stopped responding after they figured out their problem or the conversation shifted to email when system and user details were discussed that should not be in this forum.

The first step would be to tell us what you are trying to accomplish. You freely mix impersonate, runas and elevation from your description and that basically never works together.
I would suggest to read this article first: https://www.sapien.com/blog/2017/01/19/ ... nistrator/

It seems to work for the majority of users, so maybe it helps you.
If you need any further help, please provide a more detailed description of what you need to accomplish.
Alexander Riedel
SAPIEN Technologies, Inc.

User avatar
whiggs2
Posts: 38
Joined: Sat Sep 23, 2017 11:59 pm

Re: Packaged exe generates error when configured to impersonate or runas different user

Post by whiggs2 »

Thank you for the reply. Followed the directions that were in the post. I created the "starter" script, compiled it into a package with only the impersonate settings configured, embedded the actual script with only the elevate manifest in the starter script using base64 encoding, and had the starter script attempt to run the script, and now the starter script is returning the "directory is invalid" error. There seems to have been a misunderstanding, based on the contents of the post you linked in your previous post, so allow me to clarify. The script I am writing executes under the assumption that the users who run it are already local admins are their machines. The impersonation I am trying to configure is not to bypass the prompt for administrator credentials to allow for elevation on the local machine. The impersonation settings I am attempting to configure are for the purpose of allowing the users who run the script to access network resources which their ad accounts do not have permissions to access. In my case, what I am trying to do is configure the package to impersonate a user who has the permissions necessary to query the office 365 global admin credentials from a product we use in our environment called "Thycotic Secret server", which is essentially a web based application that stores credentials and only allows users to view credentials to which they have access. This being the case, I would think that including both the elevation manifest and the impersonate configurations in the packaged executable would be ok. Any other thoughts? The aspect that confuses me is that the script immediately fails. Like I stated above, I had base64 encoded the script I actually wanted to run with the elevation manifest into the starter script and had the starter script write it to the disk before executing it, but when the starter script fails, the original script has not even been written to disk. I think the way I am putting the credentials in might not be valid, so in a domain environment, you would specify the credentials like below, right:
username: domain\USername
Password: Password

User avatar
Alexander Riedel
Posts: 7467
Joined: Tue May 29, 2007 4:43 pm

Re: Packaged exe generates error when configured to impersonate or runas different user

Post by Alexander Riedel »

What exact folder is your starter script in? The invalid folder message generally only occurs if the executable is no longer accessible after impersonation OR if the impersonated user has no access rights on the local machine. The .NET framework has some idiosyncrasies in terms of creating appdata folders that cannot be turned off.
I cannot know exactly what happpens on your machine and where precisely that message come from, so its a bit like poking in the dark.
Alexander Riedel
SAPIEN Technologies, Inc.

User avatar
whiggs2
Posts: 38
Joined: Sat Sep 23, 2017 11:59 pm

Re: Packaged exe generates error when configured to impersonate or runas different user

Post by whiggs2 »

So what I do is I compile it on my machine, then I copy it to my test environment, which is also domain joined but running an account which has local admin rights, but not the rights to access the network resources I mentioned earlier. The script is executed from the test user's desktop. So you don't think the directory error might be resulting from invalid user credentials? I would think it would make sense, since the script is trying to run under a domain/user that doesn't exist, which is why I wanted to verify the correct way to input credentials into powershell studio.

User avatar
Alexander Riedel
Posts: 7467
Joined: Tue May 29, 2007 4:43 pm

Re: Packaged exe generates error when configured to impersonate or runas different user

Post by Alexander Riedel »

I am sorry, I am not sure I understand that correctly.
Can you do a manual RunAs of a simple executable using the credentials you describe?
Alexander Riedel
SAPIEN Technologies, Inc.

User avatar
whiggs2
Posts: 38
Joined: Sat Sep 23, 2017 11:59 pm

Re: Packaged exe generates error when configured to impersonate or runas different user

Post by whiggs2 »

By manual run as, are you referring to command line runas?

User avatar
Alexander Riedel
Posts: 7467
Joined: Tue May 29, 2007 4:43 pm

Re: Packaged exe generates error when configured to impersonate or runas different user

Post by Alexander Riedel »

Yes, that's what I was referring to.
Alexander Riedel
SAPIEN Technologies, Inc.