Discussion: Safest Way For powershell remoting from UD

I am currently working on a dashboard which connects to SAN,Net-backup ,Network devices and windows servers.
i was able to do all these tasks but i am having a difficulty in saving the credentials as i cant just put it in the script and keep it in the IIS virtual directory and i can’t let the viewers enter the password to create the pscreds.
i have one idea which is to encrypt the username and password using a key or certificate but still it is not secure enough.

Any ideas guys how do you do powershell remoting with UD.

Hi @alaaelmahdy please can you state if you are using community or professional version? The profession version includes a login page so no need to encrypt passwords etc as you can authenticate the login page to Azure, Active Directory, Twitter, Facebook etc. If you are not using the professional version it is certainly worth the low amount being asked for a license.

Use the Credential Manager PS Module to store credentials, then you can retrieve them using Get-StoredCredential. Your IIS application pool then runs as that user. Be sure to enable profile loading under your app pool settings.

1 Like

@psDevUK i am using the community edition and i have created my own login pages thanks to your help in the other post but here i need to have the application pool to run as a privileged user which can access other services like san ,network and other servers.
Thank you @artvandelay440 for the hint i’ll check it out and report back.

sorted out , thank you @artvandelay440
The module can be downloaded from

Read a credential object from the credential store. If no credential is available or valid it will
prompt for the credential and store it in the credential store.
This cmdlet can be used in scripts to avoid prompting for a credential everytime the script runs. This method
is much safer then storing the credential in the script itself or using your own method. The Windows Data
Protection API (DPAPI) is used to encrypt the password. The password can only be decrypted by the same
user who encrypted it. Resetting your password will void the decryption key and make the credential unusable.
As the encryption key is tied to the user, the credential store must be personal, wich means a seperate
store for each user. The default store is the directory ‘\Credentials’.
Author: Theo Hardendood, Metis IT B.V.

Version History:
1.0 - 06-07-2016 - Initial release

The name of the credential. Used for naming the files in the credential store.
The name is not case sensitive. Two files will be used for each credential: ‘.username’
and ‘.password’. Whitespace or special characters are not allowed.
The path to the credential store. Default is ‘\Credentials’. This must be a writeable
directory that will be created if it does not exist.
.PARAMETER Credential
Save the supplied credential in the credential store, overwriting an existing credential.
The user name used in the credential when prompting. This will only be used when asking for a new credential,
and can be changed by the user.
The message that appears in the credential prompt.
Do not prompt for the credential if it cannot be found or read and throw an exception.
Reset credential by prompting for a new one.
Delete credential and do not prompt for a new one.
$cred = Get-StoredCredential -Name vCenter

Read credential for vCenter and return as PSCredential object. The cmdlet will prompt for username and
password if the credential cannot be read.

$cred = Get-StoredCredential -Name JustAName -UserName “Administrator”

If it must ask for a new credential, the user name field will be filled in as a suggestion.

$cred = Get-StoredCredential -Name JustAName -StorePath “E:\Credentials\myname”

Uses the file 'E:\Credentials\myname\JustAName.username' to store the user name and the file
'E:\Credentials\myname\JustAName.password' to store the password.

Get-StoredCredential -Name JustAName -Credential $cred

Store the credential $cred in the credential store. Use this method for storing a credential if it is used
in a script running under a service account and you cannot log in under that account. To make this work, create
a script with the below contents (don't forget to use the correct UserName and Password) and run it under the
service account. Make sure the path to the credential store is valid.

$securePassword = ConvertTo-SecureString -String "ThePassword" -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "TheUserName", $securePassword
Get-StoredCredential -Name JustAName -StorePath "E:\Credentials\ServiceAccount" -Credential $cred

Do not forget to overwrite or delete this script afterward, or your password is still exposed.

Get-StoredCredential -Name JustAName -Delete

Delete the credential JustAName. If the -Delete parameter is used then no PSCredential object will be returned.


1 Like

I would recommend installing it from the powershell gallery. Install-Module CredentialManager


like that i can read it :sweat_smile: