Unable to authenticate with AD

PowerShell Universal
1

Hello,

I’m following the documentation about Authenticating with AD and using Claims. I basically copy/pasted the example in the docs to the authentication script and replaced the domain with my environment. I then went into the roles.ps1 and setup the claims there. For some reason I can’t authenticate. All I get is bad username/password responses. Can anyone see what I’m doing wrong? Thank you!

Authentication Script

param(
[PSCredential]$Credential
)

You can call whatever cmdlets you like to conduct authentication here.

Just make sure to return the $Result with the Success property set to $true

$Result = [Security.AuthenticationResult]::new()
if ($Credential.UserName -eq ‘Admin’ -and $Credential.GetNetworkCredential().Password -eq ‘somepassword’)
{
New-PSUAuthenticationResult -Success -UserName ‘Admin’
}
elseif($Credential.UserName -eq ‘test’ -and $Credential.GetNetworkCredential().Password -eq ‘somepassword’)
{
New-PSUAuthenticationResult -Success -UserName ‘test’
}
else
{
# Get current domain using logged-on user’s credentials - this validates their credential
$CurrentDomain = “LDAP://DC=thedomain,DC=local” # Insert Your Domain Here
$domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,($Credential.UserName),$Credential.GetNetworkCredential().password)
if ($domain.name -eq $null)
{
“Authentication failed for $($Credential.UserName)!” | Out-File “C:\users\ryan.duncan\desktop\adlogin.txt”
write-host “Authentication failed - please verify your username and password.”
New-PSUAuthenticationResult -UserName $Credential.UserName
}
else
{
write-host “Successfully authenticated with domain $($domain.name)”
“Authentication success for $($Credential.UserName)!” | Out-File “C:\users\ryan.duncan\desktop\adlogin.txt”
New-PSUAuthenticationResult -UserName $Credential.UserName -Success -Claims {
Get-ADPrincipalGroupMembership $Credential.UserName | Select-Object -ExpandProperty name | ForEach-Object {
New-PSUAuthorizationClaim -Type Role -Value $_
}
}
}
}

Roles Script

param(
$User
)
$Roles = $User.Claims | Where-Object Type -eq Role | Select-Object -ExpandProperty Value
$Roles -contains ‘IT_Infrastructure_Technical_Team’

Policies should return $true or $false to determine whether the user has the particular

claim that require them for that role.

$true

Product: PowerShell Universal
Version: 1.4.6
2

Following up on this for anyone interested. I found the issue. It appears Get-ADPrincipalGroupMembership is not working for whatever reason. I’ve tested this multiple times. A work around would be something like this.

write-host "Successfully authenticated with domain $($domain.name)"
        "Authentication success for $($Credential.UserName)!" | Out-File "C:\users\username\desktop\adlogin.txt"
        New-PSUAuthenticationResult -UserName $Credential.UserName -Success -Claims {
            (Get-ADuser -Identity $Credential.UserName -Properties memberof).memberof | Get-ADGroup | Select-Object -ExpandProperty name | ForEach-Object {
               New-PSUAuthorizationClaim -Type Role -Value $_
            }
            #Get-ADPrincipalGroupMembership $Credential.UserName | Select-Object -ExpandProperty name | ForEach-Object {
            #   New-PSUAuthorizationClaim -Type Role -Value $_
            #}
        }

@adam You may want to test yourself and update the security documentation. Thanks!

3

Thanks for the info! I’ll open an issue for it.