Hi Forum,
I seeking for some help. I’m new to Universal i try to setup a deshboard which querry active Directroy.
I did configure Form Authentification with ActiveDirectroy and running the dashboard in IIS (without windows authentification).
What i fail to get to work is to usethe PSCredential object in my dashboard. I read about the $User variable but i would also require the password to inpersonate the querry of AD.
Is it possible to pass the PSCredential Object to the dasbaord and then use it in the dashbaord to authenticate querrys against AD ?
Is that working at all ?
I search the forum but could not really get it working . I tried the $Cache global variable at i always end up having the Cerdential password is null…
I’m running version 1.4.6
If something like this could work, do you have example for me please
EDIT: just ignore what i wrote. i didn’t read the whole message
I’m just leaving the following for someone who might need it.
yes. just modify the ‘authentification.ps1’ file locaated in "program data\universal automation\repository.universal’ with the following:
Set-PSUAuthenticationMethod -ScriptBlock {
param(
[PSCredential]$Credential
)
$Result = [Security.AuthenticationResult]::new()
if ($Credential.UserName -eq 'Admin') # you can use a simple user that does not exist in AD
{
#Maintain the out of box admin user
$Result.UserName = 'Default Admin'
$Result.Success = $true
}
else
{
$User = Get-ADUser -Identity $Credential.UserName -Server "YOUR SERVER" -Credential $Credential -ErrorAction SilentlyContinue
if ($null -ne $User)
{
$Result.UserName = ($Credential.UserName)
$Result.Success = $true
}
}
$Result
}
The credential isn’t passed to the dashboard. You’ll have access to the $User variable that contains the user name of the person logging in and the $Roles variable with any roles that have been assigned to that user but we don’t persist the credentials.
Hi
thank you Adam, really great you take your time to answer here in the forum
So understanding you corret i can not use the PSCrednetial entered by the user during login to querry AD.
eg. like:
Remove-ADGroupMember -Identity ‘MyGroupName’ -Credential [PSCredential] (from login page) -Members $Member …?
I would need to use a service account to interact with AD and mange permission thru the $Roles?
Or can i setup my own login page in Dashboard where i then can use the PSCredential Object?
You could setup a service account to execute all the actions against AD and then manage access with roles.
If you want to persist the user’s credential and access AD that way, I would suggest storing it in the secret store during login and then retrieving it from the secret store in the dashboard. This way you aren’t storing the credential in memory for the whole time the server is running but rather in the credential manager.
Hi,
I was trying this but somehow for me the “Set-Secret” cmdlet seems not to work?
Do I need a special module for it which is not included in Universal v3? Or do I need to first create the variable ?
The secret management module is included with Universal. If you don’t have the cmdlets available you can always import the module from the installation directory. The module lives in Microsoft.PowerShell.SecretManagement\0.2.1.
thank you for your answer. But this still does not work for me?
I imported the SecretManagement in the authentication.ps1 and as well in my dashboard.p1
But either the Set-Secret is not working or the Get-Secret? The Dashboard log just show that the Secret is not found.
I hosting the Dashboard in IIS with a ServiceAccount, could this be an issue?
