Get current user's credentials object in Powershell without prompting

前端 未结 4 1688
迷失自我
迷失自我 2020-11-29 07:38

I have a Powershell script that is going to be run through an automation tool against multiple servers. It works fine on Windows machines, as the remote calls use the tool\'

相关标签:
4条回答
  • 2020-11-29 07:43

    The Windows API will not expose the information you need, which is why Powershell can't get to them. Its an intentional feature of the security subsystem. The only way for this to work is for the Linux machines to trust the calling machine, such as joining them to an Active Directory (or any kerberos setup really).

    Aside from that, you'd need to store and pass this information somehow.

    You could store the RSA key in the user's keystore and extract it at runtime (using the .NET Crypto/Keystore libs), so you aren't storing the key around with the code. That way the key itself would be protected by the OS and available only when the calling user was authenticated. You'd have one more thing to install, but may be the only way to achieve what you are aiming for.

    0 讨论(0)
  • 2020-11-29 07:48

    How about encrypting the password using the service account's encryption key?

    A quick example:

    Run PowerShell as the service account, run the following and save the output to a text file (or embed it in the scheduled task call):

    $String = '<PASSWORD>'
    ConvertFrom-SecureString -SecureString (ConvertTo-SecureString -String $String -AsPlainText -Force)
    

    Use the following in your scheduled task in order to decrypt and utilize the password:

     $EncryptedString = '<ENCRYPTED PASSWORD FROM ABOVE>'
     [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((ConvertTo-SecureString -String $EncryptedString)))
    

    That should do the trick. You cannot reuse the encrypted password on a different computer, though, or if you for whatever reason destroy you local key store :)

    0 讨论(0)
  • 2020-11-29 07:51

    Since you can get the password in plaintext from a credential object, I doubt you can get this without prompting.

    0 讨论(0)
  • 2020-11-29 07:57

    "Trying [System.Net.CredentialCache]::DefaultNetworkCredentials shows a blank, and [System.Security.Principal.WindowsIdentity]::GetCurrent() doesn't provide the object or information I need."

    You already have your answer. I use this to pass the currently logged in user's credentials along in several scripts:

    $Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
    $Username = $Credentials.UserName
    $Password = $Credentials.Password
    

    If you try to dump them to any kind of readable output, those values are empty when you dump them (for obvious security reasons), however they do work where you need a PSCredential object.

    0 讨论(0)
提交回复
热议问题