Product: PowerShellUniversal
Version: 2.1.2
How can you configure a dashboard to run as the currently logged in user?
Product: PowerShellUniversal
Version: 2.1.2
How can you configure a dashboard to run as the currently logged in user?
When you say currently logged on user, do you mean the user that is accessing the dashboard from the browser?
@adam that’s correct. I’d like to run a few scripts based on the user accessing the dashboard via web browser.
Gotcha. It’s currently not possible with the built in functionality of PSU. ASP.NET Core (the tech stack that PSU uses) does advertise this feature: Impersonating and Reverting | Microsoft Docs
It may be possible to achieve this with the integrated environment in PSU but would likely be a feature we’d have to implement. I’m happy to add it to the back log if that sounds like something that might be useful.
I’m not sure if impersonation is the route we would be able to take in our environment. I’ll need to look into that further.
The main goal is to have the dashboard only display a list of servers that the currently logged in user has access to and allow that user to execute a script on the server(s) they select. The plan was to take $env:CURRENTUSER and check that account’s AD security groups. From there, the user is able to run a script only of those they have access to.
@adam would it be possible to prompt the user for their SamAccountName like you have done in some of your ActiveDirectory dashboards, then throw their SamAccountName at AD to query their groups and from there display only the servers they have access to?
Drew
If you have windows authentication enabled, you can use the $User variable to access the current user’s name. It’s not running under their context but it does have access to user info.
Thanks @adam . So far I’ve only received “Admin” (the account used to log into the PSU admin page) as the user instead of the user accessing the dashboard via web browser. I have authentication enabled on this dashboard (by going to my dashboard in the admin page, edit, authentication enabled) and tried to use $User. Do I need to modify the configuration files to allow Windows Authentication?
Yep! Here’s some info on how to enable Windows Auth: Security - PowerShell Universal
I think I’m still missing something. I’m still receiving “Admin” as the user launching the dashboard.
I have updated the appsettings json with Windows authentication set to true. File located at:
C:\Program Data\UniversalAutomation\appsettings.json
I have updated the web.config file forwardWindowsAuthToken to true located at:
C:\Program Data\PowerShellUniversal\Dashbaord\Components\UniversalDashbaord\2.7.0\web.config
I’ve installed the Windows Authentication feature and enabled it in IIS after disabling Autonomous Authentication
What else might I be looking over @adam?
This is the wrong path to the web.config file: C:\Program Data\PowerShellUniversal\Dashbaord\Components\UniversalDashbaord\2.7.0\web.config
You need to ensure you are updating the web.config in the installation folder. It’s where ever you unzipped the PowerShell Universal binaries. If you installed from MSI, that would be: C:\Program Files (x86)\Universal
Thanks @adam , I updated the web.config file in C:\Program Files (x86)\Universal but $User is still evaluating to “Admin” and $env:USERNAME is evaluating to the account running PSU service on the backend instead of the user launching the dashboard. Any other thought to check?
I also noticed that when I updated from PSU 2.1.2 to 2.2.1, the $env:CURRENTUSER variable changed from the account running the PSU service and is now showing up as the hostname instead of the user. Kind of strange for that to be showing up different without modifying the dashboard.ps1 file.
Update 8/19/2021-0754:
it is possible that this might have been from the PowerShell Universal Windows service changing after running the msi for the update to 2.2.1. I was messing around with the install again and notice that if I manually insert my credentials to run the service, my credentials will be the one running the dashboard. If I select “Local System” to run the service, then “hostname$” will be the account running the dashboard.
Still searching for the missing link of a way to pull what user is accessing the dashboard page though.
It sounds like the Windows Authentication isn’t working if you are still seeing Admin come through in the $User variable. $env:CURRENTUSER will always be the user running the dashboard service (service account, etc).
Can you provide a log from %ProgramData%\PowerShellUniversal?
That now makes sense for $env:CURRENTUSER to show up as whatever account is being used to run the PowerShell Universal Windows service. Unfortunately I’m running this tool in an environment where I cannot provide the log files.
A colleague just mentioned the idea of using endpoints to pull the client user (the user accessing the dashboard via web browser) and storing that as a variable. I’m going learn up on that feature in your documentation here: Endpoints - PowerShell Universal to see if that is feasible for this configuration.
8/19/2021-1045
@adam I figured out why $User was showing as “Admin”. I was accessing the dashboard via Chrome in the same browser that I was logged into the Admin configuration page as “Admin”. Once I logged out (verified authentication was disabled on the dashboard settings), $User is now showing as blank.
I’m reviewing Endpoints - PowerShell Universal and The Ultimate Guide to Building REST APIs with PowerShell documentation. Is it possible to use this method to pull the client’s username that accessed the dashboard through the web browser? I see how you manually insert usernames in your API examples, but not pulling the current user automatically.
Thanks for the assistance @adam, $User is now evaluating to the user account that is accessing the dashboard via web browser. I can now use this variable to query AD based upon who is accessing the dashboard. The following were the final steps that resolved the issue for me:
Open “C:\Program Files (x86)\Universal\appsettings.json”
Changed Windows Authentication Enabled to “True”
“Authentication” : {
“Windows”: {
“Enabled”: “True”
},
Saved and closed appsettings.json
Restarted the PowerShell Universal Windows Service
Refreshed the dashboard page
When accessing the dashboard in a web browser, the user is now prompted to input their credentials. After entering their domain credentials, the dashboard run the rest of the code based on that user account.