Universal Automation with Dashboard on IIS - Authentication Concept


I need some help and inspiration on how the Authentication and Authorization is supposed to be implemented in Universal Automation & Dashboard hosted in IIS. Especially with the app tokens.

Our goal is to have a forms-based login on Universal Dashboard backed by a Windows Active Directory.

I’ve studyed the examples on the docs page, but they have different concepts:

  • [sample-script](https:/ /docs.universalautomation.io/sample-script)
  • [authentication](https:/ /docs.universalautomation.io/dashboard/authentication)

Automation part hosted in IIS, reachable as powershell-api.company.com:

$uaServerSplat = @{
    ConnectionString    = 'C:\PathToDatabase\database.db'
    RepositoryPath      = 'C:\PathToRepository'
    GitRemote           = 'https://remote/repo.git'
    GitRemoteCredential = $cred
    JwtSigningKey       = 'some-very-long-key'
    JwtAudience         = 'Universal Automation'
    JwtIssuer           = 'Company'
    InProcess           = $true

Start-UAServer @uaServerSplat

Dashboard part hosted in IIS, reachable as powershell.company.com:

Connect-UAServer -ComputerName 'https:/ /powershell-api.company.com'
$dashboard = New-UADashboard -ComputerName 'https:/ /powershell-api.company.com'

$authMethod =  New-UDAuthenticationMethod -Endpoint {
    param ([PSCredential] $Credential)

    if (Test-Credential -Credential $Credential -Method 'ActiveDirectory' -Quiet)
        # If the test credentail cmdlet against active directory was
        # successful, get direct group members of the user and check if he
        # has the necessary role group.
        $groups = Get-ADUser -Identity $Credential.Username -Credential $Credential -Properties 'MemberOf' |
                    Select-Object -ExpandProperty 'MemberOf' |
                        ForEach-Object { $_.Split('=,')[1] }

        if ($groups -contains 'Automation Administrators')
            $role = 'Administrator'
        elseif ($groups -contains 'Automation Operators')
            $role = 'Operator'
        elseif ($groups -contains 'Automation Readers')
            $role = 'Reader'
            New-UDAuthenticationResult -ErrorMessage 'Missing user group assignment.'

        # Will not work ???
        $appToken = Grant-UAAppToken -IdentityName $Credential.Username -Role $role
        New-UDAuthenticationResult -ErrorMessage 'Wrong username or password.'

$dashboard.LoginPage = New-UDLoginPage -AuthenticationMethod $authMethod
Start-UDDashboard -Dashboard $dashboard -AllowHttpForLogin -Wait

My problem starts with this:

As I’ve created the first app token, the API will switch to authenticated. After that, the dashboard itself doesn’t have the option to get and grand new token -> access denied. So how should I authenticate the Dashboard against the Automation? Must I first initially create a System AppToken and speify it in the dashboard all the time we use the api?

Kind Regards
Claudio Spizzi

This is a bit of a miss on the architecture of this. Start-UAServer will return the system app token after starting the server. You should store that AppToken into a secret manager or a environment variable of your choice so then you can pass the AppToken to Connect-UAServer when starting the dashboard.

But the Start-UAServer will not return anything, if it is used with the InProcess parameter is used, right? So, in this use case with IIS, this will not work.

I’ve tried to implement a workaround - so storing the first app token on the IIS server somewhere in the file system. But as soon as I’ve created the first app token, any subsequent request will end in a 401 (Unauthorized). This is the bug report:

Ok. Thanks for trying. I’ll take a look at this today and try to reproduce. I’ll update the GitHub issue with my findings.