PSCrendential $Credential - Sorry I don't get it

Hi Forum,
I seeking for some help. I’m new to Universal i try to setup a deshboard which querry active Directroy.
I did configure Form Authentification with ActiveDirectroy and running the dashboard in IIS (without windows authentification).

What i fail to get to work is to usethe PSCredential object in my dashboard. I read about the $User variable but i would also require the password to inpersonate the querry of AD.

Is it possible to pass the PSCredential Object to the dasbaord and then use it in the dashbaord to authenticate querrys against AD ?
Is that working at all ?

I search the forum but could not really get it working . I tried the $Cache global variable at i always end up having the Cerdential password is null…

I’m running version 1.4.6

If something like this could work, do you have example for me please

Many thanks in advnace
Ted

EDIT: just ignore what i wrote. i didn’t read the whole message :slight_smile:
I’m just leaving the following for someone who might need it.

yes. just modify the ‘authentification.ps1’ file locaated in "program data\universal automation\repository.universal’ with the following:

Set-PSUAuthenticationMethod -ScriptBlock { 
param(
        [PSCredential]$Credential
    )
    $Result = [Security.AuthenticationResult]::new()
    if ($Credential.UserName -eq 'Admin')   # you can use a simple user that does not exist in AD
    {
        #Maintain the out of box admin user
        $Result.UserName = 'Default Admin'
        $Result.Success = $true
    }
    else
    {
        $User = Get-ADUser -Identity $Credential.UserName -Server "YOUR SERVER" -Credential $Credential -ErrorAction SilentlyContinue
        if ($null -ne $User)
        {
            $Result.UserName = ($Credential.UserName)
            $Result.Success = $true 
        }
    }
    $Result
 }

:slight_smile: Thank you
Yes Thats working, But do you know how to use the PSCredential in my Dashboard ?

Is it related to that the Server is Running with ps7?

I just don‘t Get it :confused:

The credential isn’t passed to the dashboard. You’ll have access to the $User variable that contains the user name of the person logging in and the $Roles variable with any roles that have been assigned to that user but we don’t persist the credentials.

1 Like

Hi
thank you Adam, really great you take your time to answer here in the forum :slight_smile:

So understanding you corret i can not use the PSCrednetial entered by the user during login to querry AD.
eg. like:
Remove-ADGroupMember -Identity ‘MyGroupName’ -Credential [PSCredential] (from login page) -Members $Member …?

I would need to use a service account to interact with AD and mange permission thru the $Roles?
Or can i setup my own login page in Dashboard where i then can use the PSCredential Object?

Many thanks
Ted

You could setup a service account to execute all the actions against AD and then manage access with roles.

If you want to persist the user’s credential and access AD that way, I would suggest storing it in the secret store during login and then retrieving it from the secret store in the dashboard. This way you aren’t storing the credential in memory for the whole time the server is running but rather in the credential manager.

authentication.ps1

Set-Secret -Name "AD-$($Credential.UserName)" -Value $Credential 

dashboard.ps1

$Secret = Get-Secret -Name "AD-$User"
Remove-ADGroupMember -Identity ‘MyGroupName’ -Credential $Secret

You could event setup a scheduled job to remove secrets at a later time.

script.ps1

Get-SecretInfo | Where-Object { $_.Name -like "AD-" } | Remove-Secret

Hi,
I was trying this but somehow for me the “Set-Secret” cmdlet seems not to work?
Do I need a special module for it which is not included in Universal v3? Or do I need to first create the variable ?

In the dashboard I only see

Many thanks in advance
Tobias

The secret management module is included with Universal. If you don’t have the cmdlets available you can always import the module from the installation directory. The module lives in Microsoft.PowerShell.SecretManagement\0.2.1.

Hi Adam,

thank you for your answer. But this still does not work for me?
I imported the SecretManagement in the authentication.ps1 and as well in my dashboard.p1

But either the Set-Secret is not working or the Get-Secret? The Dashboard log just show that the Secret is not found.

I hosting the Dashboard in IIS with a ServiceAccount, could this be an issue?