Admin login with any password using claims example


I used the claims example: Security - PowerShell Universal to authenticate domain users in PSU.

$Result = [Security.AuthenticationResult]::new()
if ($Credential.UserName -eq 'Admin') 
    #Maintain the out of box admin user
    New-PSUAuthenticationResult -UserName 'Admin' -Success
   $CurrentDomain = "LDAP://DC=mydemodomain,DC=com"  

After the authentication.ps1 code update I can authenticate AD users, but I can also login with the admin account using any password.

Is there a way to prevent this without matching the password like this in plain text?

if ($Credential.UserName -eq 'Admin' -and $Credential.GetNetworkCredential().Password -eq 'MySuperSecretPassword') 
    New-PSUAuthenticationResult -Success -UserName 'Admin'
Product: PowerShell Universal
Version: 3.9.15

I have the password stored as a secure string with Export-Clixml and then convert it back to plain text for the comparison. Could even do this with secrets management module.

Something like this…

$SubmittedPassword = $Credential.GetNetworkCredential().Password        
$Account = Import-Clixml <xml file>
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Account.Password)
$PlaintextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

if ($SubmittedPassword -eq $PlaintextPassword) {
    New-PSUAuthenticationResult -Success -UserName 'Admin'
else {
    New-PSUAuthenticationResult -ErrorMessage "bad username or password"

Open to suggestions others may have.

Thanks, the is a good workaround for now.