Impersonate User with RunApplication?

Class library usage, coding and language questions.
JSH_QA
Posts: 56
Joined: Thu Apr 05, 2012 9:03 am

Impersonate User with RunApplication?

Post by JSH_QA » Fri Aug 22, 2014 5:45 pm

When using the Ranorex API from C#, what is the recommended method of running an Application Under Test (AUT) using a specific user account?

Our Windows desktop application will be used by end-users who have different permissions, and we need to be able to test that our application operates correctly with various combinations of permissions. We need these tests to run both when fired off by a Software Development Engineers in Test (SDET) on their own machine (the SDETs all have local admin rights), and to run from our automated build scripts (which run under a service account), but with the application under test using specific test accounts that may have less permissions than the SDET or service account running them.

I was hoping that the RunApplication method in the Ranorex API would have an argument that would allow us to specify a user to impersonate, but that doesn’t appear to exist. What is the recommended way of doing this?

Many thanks,

John H.

krstcs
Ranorex Guru
Posts: 2683
Joined: Tue Feb 07, 2012 4:14 pm
Location: Austin, Texas, USA

Re: Impersonate User with RunApplication?

Post by krstcs » Fri Aug 22, 2014 7:21 pm

You could use the Ranorex Run Application method, but instead of running your application's command-line, you could put "runas" in front of it.

http://ss64.com/nt/runas.html

Basically allows you to specify the user account to run the specified program under.


You could also create virtual machines for each user configuration, and use RDP.exe (here: http://www.donkz.nl/). I use it to automatically start my VMs with specific user accounts. You could just leave those VMs running if you don't want to mess with shutdowns (again that's what I do). But you may not have the environment for this (if you don't I would ask your company about going that route, makes it much easier to manage a good VM environment).
Shortcuts usually aren't...

JSH_QA
Posts: 56
Joined: Thu Apr 05, 2012 9:03 am

Re: Impersonate User with RunApplication?

Post by JSH_QA » Thu Sep 25, 2014 3:09 pm

Thanks krstcs.

I tried the "runas" approach (calling it from RunApplication), but that then raises a problem around specifying the password to go with the user account.

After some investigation, I reverted to .Net functionality, as below:

ProcessStartInfo processStartInfo = new ProcessStartInfo(executablePathAndName);
// specify processStartInfo properties here
Process process = Process.Start(processStartInfo);

This provided a working solution that was also quite elegant.

Thanks,

John H.

krstcs
Ranorex Guru
Posts: 2683
Joined: Tue Feb 07, 2012 4:14 pm
Location: Austin, Texas, USA

Re: Impersonate User with RunApplication?

Post by krstcs » Thu Sep 25, 2014 3:31 pm

You still have to specify the username and password. There is no getting around that. One way or the other, the password will be plain-text in code or in your data.

I highly recommend that, for testing, you use user accounts that aren't real users and only have access to the specific things that they need for testing.
Shortcuts usually aren't...

JSH_QA
Posts: 56
Joined: Thu Apr 05, 2012 9:03 am

Re: Impersonate User with RunApplication?

Post by JSH_QA » Thu Sep 25, 2014 3:52 pm

Yes, the user name and password need to be specified. However, "runas" does not have a /password command-line argument, so it either prompts you, or the password has to be piped in. Doing this with the .Net approach allows the password to be specified in a cleaner way. If concerned about the security of the password, it can be retrieved in encrypted form from a configuration file, decrypted and converted to a SecureString, with any remnant from the decryption then overwritten.

Agree completely about using specific accounts for use in the test environment, rather than real accounts. For these, we set up a number of accounts with different permissions, so that we can test that they behave as expected in the test environment.

Thanks again,

John H.

krstcs
Ranorex Guru
Posts: 2683
Joined: Tue Feb 07, 2012 4:14 pm
Location: Austin, Texas, USA

Re: Impersonate User with RunApplication?

Post by krstcs » Thu Sep 25, 2014 5:08 pm

Ah, yeah, that does seem to be better, didn't realize that runas didn't take a password.

I do like the .NET solution as well, keeps it in-house.


If, however, you need to do it through the command-line, you could also use psexec (Microsoft SysInternals). The PSTools suite is very handy.

PowerShell also has a way to do it, and it is built on .NET as well so everything is recognizable in .NET. PowerShell for Executing script with different credentials. It also includes secure password storage examples.
Shortcuts usually aren't...

JSH_QA
Posts: 56
Joined: Thu Apr 05, 2012 9:03 am

Re: Impersonate User with RunApplication?

Post by JSH_QA » Wed Dec 10, 2014 2:16 pm

Unfortunately, it seems that the RxPaths that we use when running as ourselves, do not work when we run the application under test as a different user. From initial investigation, it seems that the test process that uses the Ranorex libraries has to be running as the same user as the Application Under Test. As a result, it appears that we have to script the impersonate user before running the test runner (which for us is MSTest), rather than having our MSTest test method starting the AUT using impersonate user. Does that sound correct?

Thanks again,

John H.

User avatar
Support Team
Site Admin
Site Admin
Posts: 11709
Joined: Fri Jul 07, 2006 4:30 pm
Location: Graz, Austria

Re: Impersonate User with RunApplication?

Post by Support Team » Thu Dec 11, 2014 4:18 pm

Hi JSH_QA,

That's correct, it is not recommended to run Ranorex and the application under test with the different security rights or different users.
In my opinion your workaround sounds good.

Regards,
Bernhard
.
Image