Admin login with any password using claims example

(anonymous user)

Published 3 years ago

Hi,

I used the claims example: Security - PowerShell Universal to authenticate domain users in PSU.

$Result = [Security.AuthenticationResult]::new()
if ($Credential.UserName -eq 'Admin') 
{
    #Maintain the out of box admin user
    New-PSUAuthenticationResult -UserName 'Admin' -Success
}
else
{
   $CurrentDomain = "LDAP://DC=mydemodomain,DC=com"  
   ...

After the authentication.ps1 code update I can authenticate AD users, but I can also login with the admin account using any password.

Is there a way to prevent this without matching the password like this in plain text?

if ($Credential.UserName -eq 'Admin' -and $Credential.GetNetworkCredential().Password -eq 'MySuperSecretPassword') 
{
    New-PSUAuthenticationResult -Success -UserName 'Admin'
}

Product: PowerShell Universal
Version: 3.9.15

All Comments (2)

Published 3 years ago

I have the password stored as a secure string with Export-Clixml and then convert it back to plain text for the comparison. Could even do this with secrets management module.

Something like this…

$SubmittedPassword = $Credential.GetNetworkCredential().Password        
$Account = Import-Clixml <xml file>
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Account.Password)
$PlaintextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

if ($SubmittedPassword -eq $PlaintextPassword) {
    New-PSUAuthenticationResult -Success -UserName 'Admin'
}
else {
    New-PSUAuthenticationResult -ErrorMessage "bad username or password"
}

Open to suggestions others may have.

Published 3 years ago

Thanks, the is a good workaround for now.