Powershell - connecting to the logged on user's vault
I am currently tying to make a Powershell(local) entry which needs to get and write to credential entries in the logged on user's private vault.
But I am not able to connect to the datasource as the user (Should be able to give to another user and they can run it as them without editing the script itself).
The entry will run in RDM in an already open DVLS vault as the user - can I piggyback on the connection and datasource from RDM somehow?
I have also tried to connect with a normal powershell script, but cant get it to work:
$license = Get-RDMRegistrationInfo $license.Name = 'Remote Desktop Manager' $license.Email = '' $license.Serial = '3EP33-BN66P-DU3E8-YYYYY-XXXXX' Set-RDMRegistrationInfo $license $dsname = "ScriptDPS" $dsurl = "https://secret.url.internal" $ds = New-RDMDataSource -DVLS -Name $dsname -Server $dsurl -SetDatasource Set-RDMDatasourceProperty $ds -Property "UseWindowsAuthentication" -Value "True" Set-RDMDataSource $ds Set-RDMCurrentDataSource $ds Get-RDMCurrentDataSource Registration successful ID : 4ad09ad6-f532-4409-abdc-e2576aa156fc IsConnected : False IsOffline : False Name : ScriptDPS Type : RDMS
Always end with an "IsConnected: False".
If I add appkey/secret with the UseWindowsAuthentication, then do I get "InvalidUserNameOrPasswordPleaseVerifyYourCredentials". Can connect with Appkey/secret, but dont know if I can acces a private uservault from there - so not sure where to look for a solution.
RDM: 2022.2.21.0
DVLS: 2022.2.10.0
PS Module: 2022.2.3.0
PS Version: 5.1.19041.1682
Kind regards
Martin Jensen
All Comments (14)
Hello,
It is possible to connect to an existing user data source using this commands. You need to use the name of the user's data source that is already existing in RDM. If this script will run on multiple user context, then they should have all the same data source name.
$ds = Get-RDMDataSource -Name <datasourcename>
Set-RDMCurrentDataSource $ds
It is not possible to use an application key to add entries in a user vault.
Let me know if that helps.
Best regards,
Érica Poirier
HI,
Been away, so sorry for the late reply.
Found out it isn't PowerShell (local), but just a PowerShell entry with embedded script.
Just to make it simple have I created a DVLS Data Source named DPS in RDM.
Created a PowerShell Entry in my User Vault with the code:
$ds = Get-RDMDataSource -Name "DPS" Set-RDMCurrentDataSource $ds Get-RDMCurrentDataSource
It starts and loads the RDM module, but then does it pop up the webpage for the DVLS and ask me to log on..
The PowerShell console says "Waiting for Devolution Server autehntication..."
As the idea is to retrieve the password for the user logged on (manged by a PAM sysatem), then doesn't the user known what it is and can't logged in - want to use Windows Authentication as in the Data Source.
DataSource.PNG
HI,
I might have found the issue - I had a OptionFilePath in PowerShell Override - replaced it with $null and now does it look correct....
I will test futher and see if that fixes it for me :)
Kind regards
Martin Jensen
Got a lot futher, but have a new question - Can I get a password (as plain text) from an username/password credential entry in my own uservault?
This is what I am trying to do (this script will each user be using for their own vault):
- Piggyback on the logged on user's windows authentication to open a DVLS Data Source
- Access that user's own private vault
- Read the username and password in a credential entry
- Use those credentials to access the API of a PAM system (need the password in plain text for the auth header)
- From the API get the password of an admin account
- Write the password back to another username/password entry in the private vault
Kind regards
Martin Jensen
Hello Martin,
Is the data source DPS you use have the Windows Authentication option enabled?
To get a credential from the the user vault, you need to use the Get-RDMPrivateSession cmdlet. Then using the object, you can use the Get-RDMPrivateSessionUsername and Get-PrivateSessionPassword to get the information.
$session = Get-RDMPrivateSession -Name "MyPrivateSession" $username = Get-RDMPrivateSessionUsername -Session $session $password = Get-PrivateSessionPassword -Session $session -AsPlainText
Let me know if that helps.
Best regards,
Érica Poirier
Hi,
Works a lot better as I were using Get-RDMPrivateCredentials on the entry, which returned only a secure string.
Best regards
Martin Jensen
Hello Martin,
Thank you for your feedback. It's good news that the Get-RDMPrivateSession and Get-PrivateSessionPassword cmdlets can help you move forward.
Let us know if there is anything else we can help you with.
Best regards,
Érica Poirier
Works all they way down, untill I try to write a password back to another credential entry:$spw = ConvertTo-SecureString "$pw" -AsPlainText -Force$session = Get-RDMPrivateSession -Name "AdminUser"Set-RDMPrivateSessionPassword -Session $session -Password $spw
No error, but nothing gets updated... ?!?
Hello,
Once you have updated the session, you need to save it using the Set-RDMSession cmdlet like this:
Set-RDMSession -Session $session -Refresh.
That should do the trick.
Best regards,
Érica Poirier
Hi,
Doesn't work as I get an error :
RemoteDesktopManager.PowerShellModule.PSOutputObject.PSConnection
Set-RDMPrivateSession : Connection has invalid group specified.
At C:\Users\ap0martijen\AppData\Local\Temp\RDM\53d9da2a-f111-4fe9-b49b-2d0aa8607417.ps1:63 char:1 + Set-RDMPrivateSession -Session $adminsession -Refresh + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Set-RDMPrivateSession], Exception + FullyQualifiedErrorId : 0,RemoteDesktopManager.PowerShellModule.SetRDMPrivateSessionCommand
PS C:\Program Files (x86)\Devolutions\Remote Desktop Manager> Get-RDMPrivateSession -name "PAM AP0"
DocumentData :
HostResolved :
PsPlaylistLocal :
SubConnections : {}
UserSpecficSettings :
AlwaysAskForResources : False
AutoReconnection : True
CommandLineWaitForApplicationToExit : False
Console : False
DesktopComposition : False
DisableBitmapCache : False
DisableCursorSetting : False
DisableFullWindowDrag : False
DisableMenuAnims : False
DisableThemes : False
DisableWallpaper : False
DisplayConnectionBar : True
FontSmoothing : False
Span : False
UsesClipboard : True
UsesDevices : False
UsesHardDrives : True
UsesPrinters : False
UsesSerialPorts : False
UsesSmartDevices : False
AllowClipboard : False
AllowPasswordVariable : False
AllowViewPasswordAction : False
AlternalteHostVPNBefore : False
AlternateHostAllowCustomHost : False
AutomaticallyClose : False
ConfluenceIgnoreCertificateAuthentication : False
ConfluenceIgnoreCertificateErrors : False
DomainHostOverride : False
Encrypt : True
ExcludeFromNotifications : False
ExludeFromOpenedSession : False
GoOfflineOnConnect : False
IncludeInFavorite : False
OpenEmbedded : False
PromptCredentials : False
SharedTemplate : False
ShowInTrayIcon : True
Undocked : False
UseVPN : False
Image :
TemplateGroupData :
ApplicationIntegrationMode : Default
AuthentificationLevel : Default
ScreenColor : C32Bits
ScreenSize : Default
SoundHook : Default
WebBrowserApplication : Default
AlternateHostMode : Default
ColorMode : Custom
ConnectionStringMode : Default
ConnectionType : Credential
CredentialInheritedMode : Default
DescriptionMode : Text
DisplayMonitor : Default
DisplayVirtualDesktop : Current
DomainOverrideType : Default
ForeColorStyle : Status
HostSourceMode : SessionSpecific
IntelligentCacheAction : AddUpdate
KeyboardHook : Default
PinEmbeddedMode : Default
PingConnectionMethod : Default
PingConnectionMode : Default
ReconnectMode : Default
RiskyEvents : Default
ShowDocumentationTab : Inherited
TabGroupMode : Custom
TemplateSearchPathMode : None
UndockMaximized : Default
UserNameFormat : Default
Visibility : Default
AutomaticallyCloseInterval : 0
HostPort : 0
PingConnectionScanPort : 0
SortPriority : 0
SubMode : 0
WakeOnLANPort : 0
ID : b0671f7c-a148-4c9f-85a0-053438b5d45d
SecurityGroup : 00000000-0000-0000-0000-000000000000
UserVaultMigrationID : 00000000-0000-0000-0000-000000000000
AlternateShell :
CommandLine :
CommandLineWorkingDirectory :
RDPFileName :
ShellWorkingDirectory :
Url :
WebBrowserUrl :
AlternateHosts :
ClearTextPassword :
ClearTextPrivateKeyData :
Color :
ConfluenceDocumentationUrl :
ConnectionStringConnectionID :
ConnectionSubType :
CreatedBy : XXXX\ap0XXXX
CreationSource :
CredentialConnectionGroup :
CredentialConnectionID :
CredentialConnectionSavedPath :
CredentialDynamicDescription :
CredentialDynamicValue :
CredentialPrivateVaultSearchString :
CustomDnsServer :
CustomPort :
CustomStatus :
Data :
DataFileName :
Description :
DescriptionRtf :
DescriptionUrl :
DocumentationTitle :
DocumentLinkConnectionID :
ForeColor :
Group : Credentials
GroupCredentialPrompt :
GroupTab :
Host :
HostConnectionID :
HostConnectionSavedPath :
HostDomain :
HostFull :
HostNetworkInterfaceMac : en0
HostUserName : XXXX.intern\$P0NAME$+XXXX.intern\$AP0NAME$+$NAME$
HostWithPort :
ImageMD5 :
ImageName :
Name : PAM AP0
PamCredentialID :
PamCredentialName :
ParentID :
PersonalConnectionID :
PrivateKeyConnectionID :
PrivateKeySearchString :
RepositoryID : 79fafcf8-b820-4f12-9eef-c8ea6eff8eb3
Stamp : 90e6553f-6868-48a0-9aa3-64b552b29107
Status :
StatusLockedBy :
StatusMessage :
SwitchDataSourceID :
SwitchDataSourceName :
SwitchRepositoryFolder :
SwitchRepositoryID :
SwitchRepositoryName :
TabTitle :
TemplateName :
TemplateSearchPath :
TemplateSecurityGroup :
TemplateSourceID :
UpdatedBy : XXXX\ap0XXXX
WakeOnLANBroadcastIPAddress :
VNCOptions :
VNCUrl :
VPNDomain :
VPNName :
VPNSafePassword :
VPNUserName :
CreationDateTime : 20-09-2022 12:47:01
UpdateDateTime : 26-10-2022 12:41:37
ActiveDirectoryConsole : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSActiveDirectoryConsoleConnection
AddOn : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSAddOnConnection
Agent : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSAgentConnection
AppleRemoteManagement : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSAppleRemoteManagementConnection
Autofill : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSAutofillConnection
Aws : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSAwsConnection
Azure : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSAzureConsoleConnection
AzureStorage : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSAzureStorageConnection
BeyondTrustPasswordSafeConsole : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSBeyondTrustPasswordSafeConsoleConnection
BoxNet : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSBoxNetConnection
ChromeRemoteDesktop : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSChromeRemoteDesktopConnection
Citrix : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSCitrixConnection
CloudBerryRemoteAssistant : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSCloudBerryRemoteAssistantConnection
Cmd : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSCmdConnection
ControlUp : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSControlUpConnection
Credentials : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSCredentialsConnection
Customer : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSCustomerConnection
CyberArkDashboard : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSCyberArkDashboardConnection
CyberArkPSM : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSCyberArkPSMConnection
Dameware : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSDamewareConnection
DataEntry : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSDataEntryConnection
DataReport : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSDataReportConnection
DeskRoll : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSDeskRollConnection
DevolutionsGateway : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSDevolutionsGatewayConnection
Document : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSDocumentConnection
DropBox : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSDropBoxConnection
DvlsPamDashboard : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSDVLSPamDashboardConnection
Events : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSConnectionEvents
FileExplorer : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSFileExplorerConnection
Ftp : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSFtpConnection
GoogleCloud : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSGoogleCloudConnection
GoogleDrive : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSGoogleDriveConnection
GotoAssist : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSGoToAssistConnection
GroupDetails : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSGroupConnection
HostDetails : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSHostConnection
Hub : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSHubConnection
HyperV : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSHyperVConnection
IDrac : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSIDracConnection
ILO : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSILOConnection
Intel : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSIntelConnection
InventoryReport : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSInventoryReportConnection
ITerm : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSITermConnection
Jump : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSJumpConnection
JumpCommand : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSJumpCommand
JumpDesktop : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSJumpDesktopConnection
LogMeIn : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSLogMeInConnection
MetaInformation : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSConnectionMetaInformation
OTP : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSConnectionOTP
PlayList : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSPlayListConnection
PowerShell : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSPowerShellConnection
ProxyTunnel : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSProxyTunnelConnection
ProxyTunnelMac : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSProxyTunnelConnectionMac
Putty : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSPuttyConnection
Radmin : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSRadminConnection
RDCommander : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSRDCommanderConnection
RDGateway : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSRDGatewayConnection
RDP : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSRDPConnection
Recording : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSRecordingConnection
RemoteAssistance : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSRemoteAssistanceConnection
ReportTool : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSReportToolConnection
Root : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSRootConnection
RunAsConnection : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSRunAsConnection
S3 : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSS3Connection
Scp : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSScpConnection
Script : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSScriptConnection
Security : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSSecurityConnection
Shortcut : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSShortcutConnection
SkyDrive : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSSkyDriveConnection
SmartFolder : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSSmartFolderConnection
SNMPReport : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSSNMPReportConnection
Spiceworks : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSSpiceworksConnection
Splunk : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSSplunkConnection
Stats : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSStatsConnection
Sync : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSSyncConnection
TeamViewer : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSTeamViewerConnection
TeamViewerConsole : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSTeamViewerConsoleConnection
Template : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSTemplateConnection
Terminal : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSTerminalConnection
TerminalConsole : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSTerminalServerConnection
TerminalMac : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSTerminalConnectionMac
Tools : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSToolConnection
VirtualBox : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSVirtualBoxConnection
VMRC : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSVMRCConnection
VMWare : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSVMWareConnection
VNC : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSVNCConnection
VPN : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSVPNConnection
VPNMac : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSVPNConnectionMac
Web : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSWebConnection
WebDav : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSWebDavConnection
WindowsAdminCenter : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSWindowsAdminCenterConnection
XenServer : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSXenServerConnection
XWindow : RemoteDesktopManager.PowerShellModule.PSOutputObject.PSXWindowConnectionHello,
Sorry for the late reply.
According to the error message Set-RDMPrivateSession : Connection has invalid group specified, the Credentials folder doesn't exist in your user vault. Is that possible?
Best regards,
Érica Poirier
I first Get-RDMPrivateSession and do the Set-RDMPrivatePassword on the object before trying to Set-RDMPrivateSession on same Session - so the Group it contains (a Folder in my private vault) is present and have the correct value "Credentials" as seen in my post above. I dont try to create a new session, but to modify an old one.
Kind regards
Martin Jensen
It works if I place the username/password entry in the root of my private vault... But that shouldn't be an issue with having it in a folder?!?
Hello Martin,
Thank you for your feedback.
I have been able to reproduce this issue using the RDM PowerShell module 2022.2.3 on a DVLS version 2022.2.11.
Using the latest DVLS version 2022.3.3 and RDM PowerShell 2022.3.0.0, I am no longer able to reproduce this problem. So the solution would be to update DVLS, RDM and RDM PowerShell module to the latest 2022.3 version.
Let me know once the new version will be deployed if everything works as expected.
Best regards,
Érica Poirier