Problems using PSCredential as parameter in scripts selected in GUI

Product: PowerShell Universal
Version: 5.0.8

Hi,

I´m new to Powershell Universal and we are in a POC with version 5.0.8 on IIS at the moment.

Seems pretty good but we have a problem using PSCredentials.

I searched in the forum but haven’t found a solution jet. Maybe someone has a solution for my issue.

We can use PSCredentials defined within a script but this doesn’t help us very much because we want the password to be secret and not part of the script.

Also we can use PSCredentials for RunAs the whole script which is good.

But we can’t use the PSCredential in the param block of a script while using a stored user. It seems like there is no credential transfered to the script.

For test I created a non secret value an this is used perfect within the script.

Please see the example script I use for testing:

param (
    $partest,
    [PSCredential]$Cred
)

$wikiuser = "WikiUser"
$pw = "Password"
$secstr = New-Object -TypeName System.Security.SecureString
$pw.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}

$CredWiki = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $wikiuser, $secstr
$var = $Variable:test

$currUser = whoami

write-output "Result check"
write-output "===================================="
write-output "RunAs User stored in SecretVault:"
write-output $currUser
write-Output "------------------------------------"
Write-Output "Testparameter:"
write-Output $partest
write-Output "------------------------------------"
Write-Output "Wikiuser defined in script:"
write-output $CredWiki.UserName
write-Output "------------------------------------"
Write-Output "Any user stored in SecretVault via parameter:"
write-output $Cred.UserName
write-Output "------------------------------------"
Write-Output "Variable 'test' stored in variable:"
Write-Output $var

and here is the result:

Result check
====================================
RunAs User stored in SecretVault:
domain\sccm_operator
------------------------------------
Testparameter:
Testparameter
------------------------------------
Wikiuser defined in script:
WikiUser
------------------------------------
Any user stored in SecretVault via parameter:
------------------------------------
Variable 'test' stored in variable:
This is a test output

Thank you in advance and best regards
Steffen

Have you looked into the Variables? You can save a PSCredential object into the database as a secret, then access it like follows:

1. Head to Platform → Variables in the admin console
2. Select + New Secret in the top right corner
3. Fill out the parameters as you need:
4. The Name is how you will access the variable within the store.
5. Change the Type to PSCredential
6. Make sure the Vault selected is Database.
7. Username and password are up to you.
8. Set the roles to whoever will be USING the app; think of it like delegate access: What roles do you want to have access to use this credential in scripts or apps?

To access this credential in your script, you will prefix the Name of the variable with $Secret: as a typical scope. So, if you set the name to “ServiceAccount”, you would access the PSCredential object like: $Secret:ServiceAccount.

Let me know if that works!
ZG

Thank you very much, your advice was very helpful.
It does not use the selected user via GUI but I can use the $secret:user now which helps us a lot and is better to be honest.

But the way to the problem was shown after your advice is that I got the following error:
“The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.”

With this error I was able to change the permission setting and now it works.

Best regards
Steffen
.