Windows Authentication for UAD not working as expected

PowerShell Universal Universal Automation
1

I’m trying to setup Universal Automation with the dashboard. Both are licensed.

UADashboard is running under IIS, with Windows authentication enabled (all other auth methods disabled). This seems to work fine.

However, any user can now access the dashboard and create scripts. I would have expected that only configured identities would be able to access anything (with Read Only identities and Operators not being allowed to create or alter scripts).

I attempted to make a simple authorization policy, which attempts to fetch the UA Identity and sets an apptoken if that’s succesful, but to no avail; the policy doesn’t seem to do anything.

Here’s the code for that policy:

    $AuthPolicy = New-UDAuthorizationPolicy -Name "Policy" -Endpoint {
        param($ClaimsPrincipal)
    
        $UserName = $ClaimsPrincipal.Identity.Name 
    
        if (-not $Session:AppToken)
        {
            # TODO: Rol op basis van AD groepen.
            # Voor nu moet de identity gewoon bestaan in UA.
            $Identity = Get-UAIdentity -Name $UserName 
            if ($Identity -ne $null)
            {
                $Session:AppToken = Grant-UAAppToken -Identity $Identity
            }
            else
            {
                $false
            }
        }
        else
        {    
            $true
        }
    }
    
    $Auth = New-UDAuthenticationMethod -Windows
    $LoginPage = New-UDLoginPage -AuthenticationMethod @($Auth) -AuthorizationPolicy $AuthPolicy -PassThru

How do I go about enabling authorization on UA Dashboard?

2

Have you applied roles to the identities that are logging in prior to this? This particular configuration should apply the role that the identity has assigned.

Here’s a sample script that applies the role during the authorization process: https://docs.universalautomation.io/sample-script

What version of UA\UAD are you using?

3

Additional question: We are looking at simplifying UD\UA authentication\authorization so I’m just gonna start asking this whenever an auth question comes up:

I see you are using Windows auth. How are you applying roles? It’s it group based or user based?

4

Thanks for your quick reply!

I believe I am running Universal Automation 1.1.0 with the included dashboard. (I never noticed the updates since last month. I’ll upgrade to 1.3.1 right away)

I adapted my config from the script you provided.
I believe it never attempts to apply a role. I just reset my UA configuration and I can still access the portal, regardless of username / group membership.
Could it be that it is not applying any authentication / authorization at all?
(I have not enabled authorization in UA, because when I tried that, I got the message that this is not supported in UAD. Hence the reset of the configuration)

As for your second question; I was planning on altering the authorization script, so that it would check group membership in AD. But, I wanted to test with manually configured identities first.

5

The way the dashboard was designed in early versions would apply the system app token if no other user’s session token was defined. We resolved this in more recent versions. Give 1.3.1 a shot and get back to me. It’s much better than 1.1.

6

Alright. It turns out I was running 1.2.1. I now upgraded to 1.3.1. (n.b. Windows Installer reports 1.1.0 to add/remove programs).

I’m a bit further along now. I enabled authentication in UA and added a few logging statements to my UAD PS1 that runs under IIS.

The site now shows me a (windows) username/password dialog box. If I fill in my windows credentials, I get the same dialog box again. In my logs, I see that it entered the authorization policy, saw my username and granted me an apptoken.

On repeated tries, I do not see it entering the Auth policy again. When I close and restart my browser, it does enter the auth policy again.

In Chrome Developer Tools I see that the XHR calls to the API fail.
xhr.js?b50d:178 GET https://universalautomation.removed.nl/api/universal-automation/api/v1/accessible?t=1587412843859 401 (Unauthorized)

My code for UAD:
Import-Module “$Env:UAPATH\UniversalAutomation\UniversalAutomation.psd1”
Import-Module “$Env:UAPATH\UniversalAutomation.Dashboard\UniversalAutomation.Dashboard.psd1”

$ComputerName = 'http://localhost:10000'

$Env:UDLICENSE = (Get-Content c:\license\udlicense.txt -Raw)
$Env:UAAppToken = (Get-Content c:\license\apptoken.txt)

Connect-UAServer -ComputerName $ComputerName -AppToken $Env:UAAppToken


$AuthPolicy = New-UDAuthorizationPolicy -Name "Policy" -Endpoint {
    param($ClaimsPrincipal)

    $UserName = $ClaimsPrincipal.Identity.Name 
    $UserName | Out-File -FilePath "c:\license\test.txt" -Append
    
    if (-not $Session:AppToken)
    {
        "No apptoken found" | Out-File -FilePath "c:\license\test.txt" -Append
        $Identity = Get-UAIdentity -Name $UserName 
        if ($Identity -eq $null)
        {
                "Creating new identity!" | Out-File -FilePath "c:\license\test.txt" -Append
                $Role = Get-UARole -Name "Administrator"
                New-UAIdentity -Name $UserName -Role $Role
        }
        
        "Granting apptoken" | Out-File -FilePath "c:\license\test.txt" -Append
        $Session:AppToken = Grant-UAAppToken -Identity $Identity
    }
    
    "Returning true" | Out-File -FilePath "c:\license\test.txt" -Append
    $true
}
    
$Auth = New-UDAuthenticationMethod -Windows
$LoginPage = New-UDLoginPage -AuthenticationMethod @($Auth) -AuthorizationPolicy $AuthPolicy -PassThru

Start-UADashboard -Wait -LoginPage $LoginPage -ComputerName $ComputerName
7

I’ve been trying to get the UA Dashboard to work under IIS for days now and I have not made much progress.

Today I reset the configuration and tried to implement forms authentication based on the example script, while still running the dashboard (not UA, just UAD) under IIS.

This works insofar as I get the login form and I can login, but after logging in I get:
" We connected to Universal Automation but it was not accessible. You may have run Universal Automation and configured authenticaiton, which UA Desktop does not support. If you want to start over, delete the files in %LOCALAPPDATA%\UniversalAutomation."

What am I doing wrong here? Please help.

8

And just like that, 5 minutes later I managed to get forms authentication working. There were two things;

  1. You need to load the license with the -Raw parameter, but the apptoken without.

    $Env:UDLICENSE = (Get-Content c:\license\udlicense.txt -Raw)
    $Env:UAAppToken = (Get-Content c:\license\apptoken.txt)

I saved the apptoken to a text file using:
$apptoken = Enable-UAAuthentication
$apptoken.Token | Out-File ‘C:\License\apptoken.txt’

  1. You need to get the literal token value after granting an apptoken, not the apptoken object.
    This is what I got from the example linked above, but seems to be wrong:

    $Session:AppToken = Grant-UAAppToken -Identity $Identity

but this works for me:
$Session:AppToken = (Grant-UAAppToken -Identity $Identity).Token

Now on to getting this to work with Windows authentication…

1 Like