Universal Automation with Dashboard on IIS - Authentication Concept

PowerShell Universal Universal Automation
1

Hi

I need some help and inspiration on how the Authentication and Authorization is supposed to be implemented in Universal Automation & Dashboard hosted in IIS. Especially with the app tokens.

Our goal is to have a forms-based login on Universal Dashboard backed by a Windows Active Directory.

I’ve studyed the examples on the docs page, but they have different concepts:

  • [sample-script](https:/ /docs.universalautomation.io/sample-script)
  • [authentication](https:/ /docs.universalautomation.io/dashboard/authentication)

Automation part hosted in IIS, reachable as powershell-api.company.com:

$uaServerSplat = @{
    ConnectionString    = 'C:\PathToDatabase\database.db'
    RepositoryPath      = 'C:\PathToRepository'
    GitRemote           = 'https://remote/repo.git'
    GitRemoteCredential = $cred
    JwtSigningKey       = 'some-very-long-key'
    JwtAudience         = 'Universal Automation'
    JwtIssuer           = 'Company'
    InProcess           = $true
}

Start-UAServer @uaServerSplat

Dashboard part hosted in IIS, reachable as powershell.company.com:

Connect-UAServer -ComputerName 'https:/ /powershell-api.company.com'
$dashboard = New-UADashboard -ComputerName 'https:/ /powershell-api.company.com'

$authMethod =  New-UDAuthenticationMethod -Endpoint {
    param ([PSCredential] $Credential)

    if (Test-Credential -Credential $Credential -Method 'ActiveDirectory' -Quiet)
    {
        # If the test credentail cmdlet against active directory was
        # successful, get direct group members of the user and check if he
        # has the necessary role group.
        $groups = Get-ADUser -Identity $Credential.Username -Credential $Credential -Properties 'MemberOf' |
                    Select-Object -ExpandProperty 'MemberOf' |
                        ForEach-Object { $_.Split('=,')[1] }

        if ($groups -contains 'Automation Administrators')
        {
            $role = 'Administrator'
        }
        elseif ($groups -contains 'Automation Operators')
        {
            $role = 'Operator'
        }
        elseif ($groups -contains 'Automation Readers')
        {
            $role = 'Reader'
        }
        else
        {
            New-UDAuthenticationResult -ErrorMessage 'Missing user group assignment.'
            return
        }

        # Will not work ???
        $appToken = Grant-UAAppToken -IdentityName $Credential.Username -Role $role
    }
    else
    {
        New-UDAuthenticationResult -ErrorMessage 'Wrong username or password.'
        return
    }
}

$dashboard.LoginPage = New-UDLoginPage -AuthenticationMethod $authMethod
Start-UDDashboard -Dashboard $dashboard -AllowHttpForLogin -Wait

My problem starts with this:

As I’ve created the first app token, the API will switch to authenticated. After that, the dashboard itself doesn’t have the option to get and grand new token -> access denied. So how should I authenticate the Dashboard against the Automation? Must I first initially create a System AppToken and speify it in the dashboard all the time we use the api?

Kind Regards
Claudio Spizzi

2

This is a bit of a miss on the architecture of this. Start-UAServer will return the system app token after starting the server. You should store that AppToken into a secret manager or a environment variable of your choice so then you can pass the AppToken to Connect-UAServer when starting the dashboard.

3

But the Start-UAServer will not return anything, if it is used with the InProcess parameter is used, right? So, in this use case with IIS, this will not work.

4

I’ve tried to implement a workaround - so storing the first app token on the IIS server somewhere in the file system. But as soon as I’ve created the first app token, any subsequent request will end in a 401 (Unauthorized). This is the bug report:

5

Ok. Thanks for trying. I’ll take a look at this today and try to reproduce. I’ll update the GitHub issue with my findings.