Okay we have some progress 
I completely ripped out PU, removed all directories / files from ProgramData and reinstalled from scratch as detailed below:-
-
Installed as Windows Service and set to use my service account to run
-
Amended C:\ProgramData\PowerShellUniversal\appsettings.json to include
“Authentication”: {
“Windows”: {
“Enabled”: “true”
}
}
- Configured Service Principal Name using
setspn -S HTTP/mycomputername.mydomain.local myserviceaccount
- Configured registry to allow Edge to pass credentials (will obviously do via Group Policy in future)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge AuthServerAllowlist REG_SZ mycomputername.mydomain.local
AND it worked!
So this is without creating an authentication.ps1 file in C:\ProgramData\UniversalAutomation\Repository.universal, whereas before I was using the example script from Security - PowerShell Universal. If I add this script now (and change it to my domain details) then it breaks it again… so basically doing above steps and C:\ProgramData\UniversalAutomation\Repository.universal being empty and containing no authentication.ps1 file works fine for me.
So part 1 sorted, now need to work out how I only allow specific AD users to login and assign roles based on AD group membership - assuming that is best way to do it? open to suggestions here. Basically will only have a handful of users, a couple will be admins so need full access, the rest will just need either Reader or User roles. Don’t want anyone without permissions to be able to gain access.