AD - Default role to Reader

PowerShell Universal
1 
Product: PowerShell Universal
Version: 1.4.7

Hello,

We recently purchased an Enterprise License and are setting the product up. We hooked up AD using this function:

Code

$Result = [Security.AuthenticationResult]::new()
#if ($Credential.UserName -eq ‘Admin’)
#{

$Result.UserName = ‘Admin’

$Result.Success = $true

#}
#$Result

Function Test-Credential {
    [OutputType([Bool])]
    
    Param (
        [Parameter(
            Mandatory = $true,
            ValueFromPipeLine = $true,
            ValueFromPipelineByPropertyName = $true
        )]
        [Alias(
            'PSCredential'
        )]
        [ValidateNotNull()]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]
        $Credential,

        [Parameter()]
        [String]
        $Domain = $Credential.GetNetworkCredential().Domain
    )

    Begin {
        [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement") |
            Out-Null

        $principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext(
            [System.DirectoryServices.AccountManagement.ContextType]::Domain, $Domain
        )
    }

    Process {
        foreach ($item in $Credential) {
            $networkCredential = $Credential.GetNetworkCredential()
            
            Write-Output -InputObject $(
                $principalContext.ValidateCredentials(
                    $networkCredential.UserName, $networkCredential.Password
                )
            )
        }
    }
    End {
        $principalContext.Dispose()
    }
}

if (Test-Credential -Credential $Credential) { 
    $Result.UserName = $Credential.UserName
    $Result.Success = $true 
}

$Result

Users can login successfully, however, they are given administrator role. Can I change this to default to reader role unless someone promotes the account?

2

You can set all the Roles to return $false except the Reader role. Then anyone logging in will automatically be assigned reader. If you want to set an individual identify a role specifically in PSU, you can set that on the Identities page.

You could also use AD group membership to control who is an admin. We have an example here: https://docs.ironmansoftware.com/config/security#example-policy-based-on-active-directory-group-membership

1 Like
3

Thank you @adam!
I just upgraded to 1.5, however, now the snippet use above stopped working and I cannot login.
I am wondering if I did something wrong with the upgrade? I see the snippet in C:\ProgramData\UniversalAutomation\Repository.universal\Authentication.ps1

I stopped the service and ran the .msi file.

4

Can you check the log to see if there is anything strange happening in there? It’ll be in:

%ProgramData%\PowerShellUniversal\log*.txt

1 Like
5

@adam - I see some references to 'Exception calling ValidateCredentials with 2 arguments - Server cannot handle directory requests."

2020-11-19T18:33:30.5605020-05:00 0HM4CSE0ECATR:00000003 [INF] Route matched with "{action = \"SignIn\", controller = \"Authentication\"}". Executing controller action with signature "System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] SignIn(UniversalDashboard.Controllers.Credential)" on controller "UniversalDashboard.Controllers.AuthenticationController" ("Universal.Server"). (122b2fdf)
2020-11-19T18:33:31.0003173-05:00 0HM4CSE0ECATR:00000003 [ERR] 
Exception calling "ValidateCredentials" with "2" argument(s): "The server cannot handle directory requests."
at Test-Credential<Process>, <No file>: line 55
at <ScriptBlock>, <No file>: line 66 (10c02a92)
6

@adam - I figured it out, Installing the new update removed the account we were using for the service. Once providing the credentials to the service to run as a service account, it worked. I do have some other issues, provided with the upgrade, but I will open a new topic.