Authentication and Roles

Product: PowerShell Universal 
Version: 1.5.2

Background; Using the MSI and Windows Integrated authentication set in programdata…\appsettings.json. Working.

I have a dashboard requiring authentication and the Administrator-role set (licensed user).
However I can still access the site as a user not within the group. cant figure out why

I can see in the temporary file that Im “my account is not admin”, yet im accessing the dashboard.
what am i missing?

Also, if I change the role to a custom one, i still only see that the Administrator-role is evaluated, and not the newly changed role.


New-PSURole -Name "Administrator" -Policy {
    [bool]$return = $false
    if ((Test-MemberOfPUAdmin -UserName ($"DOMAIN\", ""))) -eq $true) {
        "$($ is admin" | Out-File -FilePath C:\temp\admin.txt -Force -Append
        $return = $true
    else {
        "$($ is not admin" | Out-File -FilePath C:\temp\admin.txt -Force -Append
        $return = $false
    return $return


New-PSUDashboard -Name "whoami" -FilePath "whoami.ps1" -BaseUrl "/whoami" -Framework "UniversalDashboard:Latest" -Environment "5.1.17763.1432" -Authenticated -Role "Administrator"

whoami.ps1 (dashboard)

New-UDDashboard -Title "Hello, World!" -Content {
    $DebugPreference = "Continue"
    New-UDTypography -Text $user -Align center
    New-UDTypography -Text $((get-date).Tostring('yyMMdd')) -Align center
    Write-Debug "authad som  $user med grupperna $roles"

That’s not good. I’ve opened an issue in our tracker and will investigate.

@adam tnx, I’ll keep it in mind to do that straight away next time.
Where is that issue though? cant find it on GitHub

We have an internal tracker for issues as well. Feel free to open issues in the external tracker you referenced. We don’t duplicate all issues in both but are trying to figure out a good work flow of user reported issues and internal features\issues.

This has been resolved in our main branch and will be available in tonight’s nightly build. This will be released in version 1.5.4 of Universal.

1 Like

No nightly 1.5.4 yet on
Guess it’s on it’s way?

We have a failing test that’s preventing it from being posted. Hopefully it’ll get up there today.

I’ve just been working on authentication for a dashboard I’ve migrated from 2.9.0 to 2.9.8 on Universal 1.5.4 and noticed that as a ‘reader’ I can switch on and off authentication on my dashboards, I can also go into the info tab and access/run code in the console and also edit published folders/change the paths & save.

Looking into this today. Are those actions actually changing things? We’ve had problems before where the UI isn’t correctly enforcing the role but the web server is so nothing actually changes but it looks like it does.

Good point, I didnt think to check into it too much, certainly the switches were working and staying off etc but I dont know if it actually made the back end change.

I would test it now, but somehow I completely borked my server earlier :rofl: so I’m awaiting a roll back to an earlier version, I’ll check tomrrow if you dont get to it before me.

1.5.4 is slow, barely loads for me. applies for /admin aswell as dashboards, it’s like tracing is on or something.
And the roles doesn’t seem to swap still, unless there’s a flaw in the code above…
Shouldn’t the above code work?

we are currently working on making the admin console faster, we are re-written the admin console, to make it fastest, which includes smaller files, and a lot of code splitting, so you only download the code that you currently need.
also, we are making improvements to all the javascript functions that are querying the backend server, to reduce the number of queries.

I’d also be curious if you notice high CPU usage by any processes besides Universal.Server.exe. We had an issue in the past where LSASS was using a lot of CPU and it had to do with some decryption that was being called too frequently.

Hey, I have PSU2.1.2 Ws-Fed auth, roles defined and working, however when a user is not in Administrator role to manage /admin and they visit the /admin page, they get stuck in a authentication loop and keep trying to re-authenticate against Ws-Fed.

Any ideas here how i can stop the loop, and force to the not authorised page? I have seen this page when using ‘New-PSUAuthenticationResult’ however, when I add this in anywhere in the roles.ps1 code, no matter what I do all users get authorised! Even if they fail the test, or even if I put $false in the code.

1 Like

This is a known issue at the moment. We had implemented a not-authorized page for this reason but it caused a infinite loop in Windows auth so we rolled it back. This should be fixed in 2.1.3.