Authentication and Policy based on Active Directory Group Membership

f.ehler.i.nolim · January 25, 2021, 7:01pm

I’m attempting to add authentication to my dashboards as well as adding/limiting access depending on AD group membership. I’ve followed the tutorials in the documentation, read forums for similar threads, etc. but I’m still having issues.

As of right now, PSU is able to authenticate against AD but it’s not able to determine if a user is a member of an AD group. Here’s what I did,

Created Application Pool and its running as the LocalSystem
Changed Windows Authentication to True in appsettings.json
Enabled Windows Authentication in IIS and disabled anonymous authentication
Created 2 groups PSU Admin and PSU Users. Added myself and supervisor to PSU Admins, everyone else to PSU Users.
Modified Security Settings to this using my own domain information. The adlogin.txt file does not get created at all.
Modified the Administrator Policy Script to match this using my own LDAP info. The adgroup.txt files does get created and it appends a timestamp and name of user logging in. Neither my supervisor or I are shown to be members of the PSU Admin group.

After looking through the log I found errors that repeat themselves ALOT.

Product: PowerShell Universal
Version: 1.5.7

psDevUK · January 25, 2021, 10:14pm

Here is my crude method of using a couple of functions to authenticate the user and the AD group they belong in…this is in older UD but I am sure you could just use these two functions to get the job done

github.com

psDevUK/psUniversalDashboard/blob/master/PagesGitHub/FormLogin.ps1

New-UDAuthenticationMethod -Endpoint {
    param([PSCredential]$Credentials)
    Function Test-Credential {
        [OutputType([Bool])]

        Param (
            [Parameter(
                Mandatory = $true,
                ValueFromPipeLine = $true,
                ValueFromPipelineByPropertyName = $true
            )]
            [Alias(
                'PSCredential'
            )]
            [ValidateNotNull()]
            [System.Management.Automation.PSCredential]
            [System.Management.Automation.Credential()]
            $Credential,

            [Parameter()]

This file has been truncated. show original

f.ehler.i.nolim · January 25, 2021, 11:24pm

Thank you so much! I’ll give this a shot, thank you again.

JLogan3o13 · January 26, 2021, 10:53pm

I did similar to yourself, and configured the Admin Policy to look like this:

param(
    $User
)

$UserName = ($User.Identity.Name)
$UserName = $UserName.Split('\')[1]
$IsMember = $false;

$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = 'LDAP://OU=Users,DC=my,DC=intra,DC=company,DC=com'
$Searcher.Filter = "(&(objectCategory=person)(memberOf=CN=PSU_Administrators,OU=PSU,OU=Application Groups,OU=My Groups,DC=my,DC=intra,DC=company,DC=com))"
$Users = $Searcher.FindAll()
$Users | ForEach-Object {
    If($_.Properties.samaccountname -eq $UserName) {
        $IsMember = $true;
    }
}

$IsMember

This allowed only certain folks to have Admin access. I then created a new policy for one of my dashboards, and basically used the same script as above, just altered the path to the group in A.D.

The biggest thing for me was it did not work until I set an explicit deny on all the other canned policies such as Reader, Operator, etc. Otherwise people were still able to get to pretty much anything. Since I am not yet using them, I set them all to the below:

param(
    $User
)

$UserName = ($User.Identity.Name)
$UserName = $UserName.Split('\')[1]

$IsMember = $false;
$IsMember

This seems to work well for me; hope it helps.

f.ehler.i.nolim · January 27, 2021, 8:44pm

Thank you so much for your response. It looks like everything is working as it should now. Thank you again.