在 IIS 网络服务器上使用 powershell 时访问被拒绝

Question

I have a password reset website for my 0ffice 365 users. It runs powershell commands in the background to reset user passwords. For some reason when I am using VS and I run the browser with the page it works fine. However when I run it from the live site I get this error

Processing data from remote server failed with the following error message: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. 

The page is aspx.net with C# code behind.

I have tried using the impersonator class but that does not work either.

Here is some of my code.

 using (new Impersonator("user", "domain", "pass"))
    {

        PSCredential creds = new PSCredential("office365email", "password");

        WSManConnectionInfo connectionInfo = new WSManConnectionInfo(
            new Uri("https://server.outlook.com/PowerShell-LiveID?PSVersion=2.0"),
            "http://schemas.microsoft.com/powershell/Microsoft.Exchange", creds);
        connectionInfo.AuthenticationMechanism = AuthenticationMechanism.Basic;



        Runspace runspace = RunspaceFactory.CreateRunspace(connectionInfo);

        runspace.ApartmentState = System.Threading.ApartmentState.STA;
        runspace.ThreadOptions = PSThreadOptions.UseCurrentThread;

        try
        {


            runspace.Open();


            pipeline = runspace.CreatePipeline();

            Command forwardcommand = new Command("Set-Mailbox");
            forwardcommand.Parameters.Add("Identity", user);
            forwardcommand.Parameters.Add("Password", pass);




            pipeline.Commands.Add(forwardcommand);

            try
            {
                pipeline.Invoke();



                runspace.Close();
                pipeline.Stop();
                return "Password Successfully Changed";



            }
            catch (Exception er)
            {
                runspace.Close();
                pipeline.Stop();

                return er.Message;


            }
        }
        catch (PSRemotingTransportException eer)
        {

            runspace.Close();


            return eer.Message;// "Server busy please try again later";
        }
    }

Any ideas why I can't do it from the actual website but I can on my local host?

<authentication mode="Windows"/>
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
        <providers>
            <clear/>
            <add connectionStringName="ApplicationServices" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider"/>
            <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider"/>
        </providers>
    </roleManager>
    <identity impersonate="true"/>

Answer 1

In IIS I changed the ApplicationPoolIdentity to LocalService. This resolved the Access Denied error when running a published Visual Studio web site when it worked fine before publishing.

Answer 2

This could be a "double-hop" identity / security problem.

When running on localhost, the Windows identity is known on the same machine.
When running on the web server, there is at least one more machine involved.

Relevant questions include: What identity is IIS using to run the web page? Does that ID have permissions to use networking? Does that ID have permissions to execute password-reset on the remote server?