Roles.ps1 loads twice?

PowerShell Universal
1 
Product: PowerShell Universal
Version: 2.8.1

I’m running PSU via IIS and using roles.ps1 to set access based on 3 AD groups that a person could be a member of:

  • Admin
  • Supervisor
  • User

The code per New-PSURole section is like:

New-PSURole -Name "Admin" -Description "admin policy" -Policy {
param (
        $User
    )
		
	$UserName = ($User.Identity.Name)
	$UserDomain = $UserName.Split('\')[0]
	$UserName = $UserName.Split('\')[1]
	$UserServer = Switch ($UserDomain) {
		'DDDD' {'domain.co.nz'}
		'DDD2' {'domain2.co.nz'}
	}
	
	$requiredSIDmembership = 'S-1-5-21-123123123123-123123123-12345'
	$UserSamAccountName = Get-ADUser -Identity $UserName -Server $UserServer | Select -ExpandProperty SamAccountName
	$members = Get-ADGroupMember -Identity $requiredSIDmembership -Server 'domain.co.nz' -Recursive | Select -ExpandProperty SamAccountName
	If ($members -contains $UserSamAccountName) {
		$IsMember = $true
	} Else {
		$IsMember = $false
	}	
	"$(Get-Date -f 'yyyy-MM-dd HH:mm:ss') PSURole -Name Admin IsMember: $IsMember" | Out-File "c:\temp\userConnectVar.txt" -append
	
	# see PowerShell Universal admin: Automation|Variables to change this variable value
	$userLoginsFolder = Get-UAVariable -Name 'UserLoginsFolder'
	"ATTEMPTED ACCESS FROM: $($User.Identity.Name)" | Out-File "$userLoginsFolder\\$UserName.log"
	"`r`nTo be in the 'Admin' role you need to be a member of SID: $requiredSIDmembership" | Out-File "$userLoginsFolder\\$UserName.log" -Append
	"$($User.Identity.Name) is assigned to 'Admin' role: $IsMember" | Out-File "$userLoginsFolder\\$UserName.log" -Append

	
	$IsMember

}

For this test, the user is a member of the 2 AD groups:

  • Admin
  • User
    (they are not a member of the Supervisor group)

The 2 debug/log files that the above code writes to look like:

2022-02-18 10:37:56 PSURole -Name Admin IsMember: True
2022-02-18 10:37:56 PSURole -Name Supervisor IsMember: False
2022-02-18 10:37:56 PSURole -NameUser IsMember: True
(^^^ correct, all ok)

2022-02-18 10:43:50 PSURole -Name Admin IsMember: True
2022-02-18 10:43:50 PSURole -Name Admin IsMember: False
2022-02-18 10:43:51 PSURole -Name Supervisor IsMember: False
2022-02-18 10:43:51 PSURole -Name Supervisor IsMember: False
2022-02-18 10:43:51 PSURole -Name User IsMember: True
2022-02-18 10:43:51 PSURole -Name User IsMember: True
(^^^ ran through twice? and now Admin is set to false, bad)

2022-02-18 10:45:51 PSURole -Name Admin IsMember: False
2022-02-18 10:45:51 PSURole -Name Admin IsMember: True
2022-02-18 10:45:52 PSURole -Name Supervisor IsMember: False
2022-02-18 10:45:52 PSURole -Name Supervisor IsMember: False
2022-02-18 10:45:52 PSURole -Name User IsMember: True
2022-02-18 10:45:52 PSURole -Name User IsMember: True
(^^^ ran through twice again, but the 2nd time for PSURole admin shows True, so ok)

ATTEMPTED ACCESS FROM: DDDD\First.Last

To be in the ‘Admin’ role you need to be a member of SID: S-1-5-21-123123123123-123123123-12345
DDDD\First.Last is assigned to ‘Admin’ role: True

To be in the Supervisor role you need to be a member of SID: S-1-5-21-123123123123-123123123-66666
DDDD\First.Last is assigned to Supervisor role: False

To be in the User role you need to be a member of SID: S-1-5-21-123123123123-123123123-333333
DDDD\First.Last is assigned to User role: True

See how sometimes it writes out to the log just a single line for each New-PSURole:

New-PSURole -Name “Admin” -Description “admin policy”
New-PSURole -Name “Supervisor” -Description “supervisor policy”
New-PSURole -Name “User” -Description “user policy”

But at other times it appears to run each of those 3 New-PSURoles twice?

And what is tripping me up is sometimes the “admin poilicy” check will the first time return $true, then the second time return $false ?!?! How?! it’s the same lookup to check if a SamAccountName is part of an AD group (or nested group).

The only way to regain admin access is to recycle the Application Pool, and sometimes this takes multiple recycles before I get a valid $true for the admin PSURole.

I would love to know if someone has an explanation for this - or maybe even a better or more suitable/reliable way to create these 3 access policies based on AD group membership.

Cheers!
Steve.

2

Are you using Windows Authentication?

3

I think i have the same issue in 2.8.2.
$Roles include the Administrator role and some custom roles twice.

We are using Windows Authentication configured in appsettings.json if that is any help.

Using this code i can see the roles twice:

    New-UDTypography -Text "Current Roles:"
    New-UDElement -Tag 'ul' -Content {
        $Roles | ForEach-Object { if ($_ -inotlike 'S-1-*') { New-UDElement -Tag 'li' -Content { $_ } } }
    }
4

Yes, Windows Auth

“Authentication” : {
“Windows”: {
“Enabled”: “true”
},

Authentication Type
Windows - appsettings.json - enabled
Form - authentication.ps1 - disabled

I’ve noticed this ever since I’ve used PSU multiple versions of v1.x.x, v2.x.x

5

@wakeke - The duplicate roles issue will be fixed in 2.8.3. This was actually a problem with how we were constructing the ClaimsPrincipal object where multiple roles would be assigned.

@pharnos - This is mostly just a problem with how Windows Authentication is implemented. As you visit the website, multiple requests may come in to load various features of the page. Each of those requests may be authenticated and authorized until a cookie is set and\or the cache is populated.

This doesn’t explain why it fails sometimes. My suggestion would be that if you are mapping a group SID to a role then to avoid calling policy scripts at all and take advantage of the new role to claim mapping: Security - PowerShell Universal

With Windows Auth, you should already have a list of claims that include group membership so you shouldn’t have to do that yourself. You can view your claims on the roles page to ensure that you are receiving all the group claims you expect. They will be listed by SID.

2 Likes
6

Cheers @adam! Will have a look at that. I was previously working with multiple domains where some some SIDs were not listed by claims on the roles page maybe because of the cross domain trust / nested groups / foreign security principals. I now only have one domain to work with so hopefully this will work.

Thanks again for the reply, will update this thread later :slight_smile:

1 Like
7

I spent some time today switching from mapping group SIDs to a role via policy script to using the new role to claim method and I am a big fan of the increase in simplicity.

The only thing that I was doing with the policy script that I don’t have an immediate answer for was logging the users role to a file every time they authenticated, but I’m not sure that was a worthwhile endeavor in the first place.

1 Like
8

I actually was talking to another customer about this very thing yesterday. They want a running log of authentications that include the roles assigned to the user logging in. I figure we could do that on the identity page and then you’d have an audit trail that you could view and export if necessary.

2 Likes
9

That would be awesome, Adam - exactly what we’re after too.

10

That could be useful to us as well.
I think the largest part of my use case for it was to check in on the amount of users recently using dashboards before upgrading the software, pulling in changes from our dev branch or anything else that could impact the users, but I’ve started looking at active network connections and session totals instead.

1 Like
11

That would be useful for us as well.
But having the ability to send it directly to a log file or syslog would be great because then it could be caught by our central logging/SIEM system.

1 Like
12

The other thing we were thinking was add a new trigger event that allow for this kind of thing so maybe that would work.

13

Thanks @adam I’ve updated my roles.ps1 file to just 3 lines now!

New-PSURole -Name 'Administrator' -Description 'admin policy' -ClaimType 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid' -ClaimValue 'S-1-5-21-123456789-1234567890-1234567890-12345'
New-PSURole -Name 'Supervisor' -Description 'dashboard only - extra menu options' -ClaimType 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid' -ClaimValue 'S-1-5-21-123456789-1234567890-1234567890-12346'
New-PSURole -Name 'User' -Description 'dashboard only' -ClaimType 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid' -ClaimValue 'S-1-5-21-123456789-1234567890-1234567890-12347'

so far so good, on dashboard reloads and IIS app pool recycles, the $Roles variable matches the the AD groups the user is in - perfect.

1 Like
14

Hi @adam we just updated to 2.8.3 and i still see duplicated roles/groupsid when using the script i posted or when using the “View Claim Information” button. Are there still problems with the claims or could this be an issue with our installation?

image
image800×349 10.3 KB

15

Hmmm. I’m unsure. I’ll reopen that issue so we can investigate. This should have been resolved.