Credential: how to use them ?

The different ways to use credentials

Credential: how to use them ?

The different ways to use credentials

Information

This article was written for a presentation of the French Powershell UserGroup.

This presentation can be seen on Youtube on the FRPSUG channel

The different ways to use credentials…

Initial Request

From my beginnings on powershell, I quickly asked myself the question of managing credentials in my scripts

From the simple need that is perhaps managed in a basic way to the use of credentials in automatic scripts I have long sought the best way to do it.

Processing the request

1. Get-Credential

The easiest way to use credentials and use the basic command

$cred = Get-Credential -Message "Message displayed in the popup" -UserName MyUser

The result is as follows

PS > $cred

UserName                           Password
--------                           --------
MyUser System.Security.SecureString

This $cred variable can be used for example in the following command

Enter-PSSession -ComputerName MyComputerName -Credential $cred

2. ConvertFrom-SecureString : Disk storage

Another solution, a little more advanced, is to store the password in a file on the PC. Naturally this storage must be done in a secure manner. As before, you must first create the $Cred object

$cred = Get-Credential -Message "Message displayed in the popup" -UserName MyUser

In a second step we will store the password encrypted on the hard drive

$Cred.Password | ConvertFrom-SecureString | Out-File C:\temp\password.txt

In the file c:\temp\password.txt the password is in this form

01000000d08c9ddf0115d1118c7a00c04fc297eb0100000057670149ac674a41ad9d185a8a82724b0000000002000000000010660000000100002000000093aaaf1ed598a69bbfb4cc77e81dfeb2786f26db6184538833af18054ef1a8a3000000000e800000000200002000000098c97f4f344d0159f337966d55060ad3297cae7515938457a713ddd9eaac5cdf200000003d986891fb27cb3983f798082083ac734d97d6235a186d3cc43db26f63bd44684000000018620d4739c0a26a6261e8c9867e94605cd35c61090c982999d5bb09fb54ec7d9a3499ebeb304c67720edfa37a34fe7fd4bce8fd8468dbee5081f56c81f4ce46

To be able to use this password stored securely, it must first be decrypted. To do this we will proceed as follows Pour pouvoir utiliser ce mot de passe stocké de façon sécurisé, il faut d'abord le décrypter. Pour ce faire nous allons procéder de la façon suivante

$Username = "MyUser"
$SecurePassword = Get-Content c:\temp\password.txt | ConvertTo-SecureString
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$SecurePassword
PS > $cred

UserName                           Password
--------                           --------
MyUser System.Security.SecureString

As in point 1 we end up with a $Cred variable usable in the command

Enter-PSSession -ComputerName MyComputerName -Credential $cred

3. Export-Clixml : Disk storage

The advantage of this methodology is that you can leverage the versatility of PowerShell to ensure that data is not only exported, but also stored securely using secure strings. Note that these credentials created can only be opened by the same user on the same system.

To create the export file, proceed as follows

get-credential -message "user password ?" -UserName MonUtilisateur | Export-Clixml -Path "c:\temp\user.xml"

The file c:\temp\user.xml contains the following information

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">MyUser</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb0100000057670149ac674a41ad9d185a8a82724b00000000020000000000106600000001000020000000dadd8864c9b930a2eb07a6745ac4fb5711912c318c401f7e35bb91d4d1cc180b000000000e8000000002000020000000b5a862ba266c236357445b773ca38d73ed124cf82d863ac4c11e2b48d57fca4b2000000054180930ba9fd53a6c4bdd9d7f69c044c88072b0d411486bccc1ca3cca417bf440000000d6197eafe8a133235bd1b44e376c3ff02e94da9f39b7d24b9a68ef5dbd629e44180ce15c3e67830d758fa1296f60a98cb2371ef915990c921e728f44c72c4cbd</SS>
    </Props>
  </Obj>
</Objs>

To retrieve the information, use the command

 $Cred = Import-Clixml -Path "c:\temp\user.xml"

again we get our variable well $Cred

PS > $cred

UserName                           Password
--------                           --------
MyUser System.Security.SecureString

Today, personally, I use method 3.


See also