I have several dashboards set up and Hosted as a Windows Service. For one of them, I was looking around to do two things: restrict access to an A.D. group, and return the username of the person accessing the form. I have been scouring the forum, and reading through old topics, which led me finally to an enhancement that was apparently implemented in September: https://github.com/ironmansoftware/powershell-universal/issues/34
Just curious if there is an example, or doc for how I would set this up. I have been reading through the Universal Docs, but don’t see (or missed) any straightforward example on implementing this.
Thanks for the response. I did follow the instructions in that link - set up the Windows service, set it to run as my service account, and created the spn. It seems to have opened up access to anyone in the domain, though. I can log into the admin console remotely with both my everyday account as well as my elevated account, and have confirmed others can too.
I followed the examples under Authorization>>Policy Assignment and Role Assignment, pointing these to an A.D. group that only my elevated account is a member of. I can confirm that when I log in as my SA (elevated) account, I see “authentication success” in adlogin.txt and “is a member of admin group” in adgroup.txt. For my normal account, I get authentication success and “is NOT a member of admin group”. I can also create dashboards, start and stop them, etc., with my normal account. I guess that is where my confusion lies, I would expect that account to not be able to authenticate at all since it is not part of the specified group. Do I have to do something in the other roles to explicitly deny access?
In the end, I don’t think I’ll be able to do what I am after. I was looking more for authorization, only loading a dashboard if a user is a member of an a.d. group, otherwise generating an error page. However, it would seem that I won’t be able to get the $User object until after they authenticate, and know these folks won’t want to authenticate every time they hit the dashboard (could be multiple times per day). I am thinking I will have to find another way.