Application Manager Elevation adds an extra SID into process tokens and can cause script exceptions

Version 1

    Verified Product Versions

    AppSense Application Manager 8.9AppSense Application Manager 8.8AppSense Application Manager 8.7AppSense Application Manager 8.6AppSense Application Manager 8.5AppSense Application Manager 8.4

    Introduction

    An application being elevated with AM can generate

    System.Security.Principal.IdentityNotMappedException
    exceptions (Some or all identity references could not be translated) which if unhandled will cause application crashes.

    The following PowerShell command will generate an exception when executed in a URM elevated PowerShell process but not for a standard user or a UAC elevated PowerShell process:

    foreach ($ref in [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups)
    {
        (new-object System.Security.Principal.SecurityIdentifier $ref.Value).Translate([System.Security.Principal.NTAccount]).ToString()
    }

    Detail

    Application Manager adds a SID to the token of the process as a tag to indicate it has been elevated by AM.

    This token doesn’t show in Process Explorer on un-elevated processes or UAC elevated processes and cannot be resolved to a local / builtin / domain group name.

    Any script enumerating SIDs in this scenario need to have a catch which will catch the exception and moves onto the next SID if one cannot be resolved.

    EXAMPLE: If the machine is booted up offline, any domain based SIDs will also not be resolvable.

    To workaround this issue, add a custom User Rights Policy to add the ‘BUILTIN\Administrators’ group and set the system privileges in the same way as the builtin elevate policy does.