get AD User Object cert in remote session

This topic contains 0 replies, has 1 voice, and was last updated by Profile photo of Forums Archives Forums Archives 5 years, 4 months ago.

  • Author
    Posts
  • #6121

    by davetechsearch at 2013-04-02 11:37:06

    Is there a way to 'see' the Certificate(s) in the AD User Object container in a remote session (for the user that initiated the session)?

    (gci cert]

    This errors out when running the cmd:
    The system cannot open the device or file specified.
    + CategoryInfo :
    + FullyQualifiedErrorId : System.Security.Cryptography.CryptographicExc
    eption,Microsoft.PowerShell.Commands.GetChildItemCommand

    by coderaven at 2013-04-02 11:51:15

    There are a few different ways to get that information noted here

    If you have remoting enabled, it is pretty easy, if not, I liked this solution:

    function Get-Cert( $computer=$env:computername ){

    $ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"

    $lm=[System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"

    $store=new-object System.Security.Cryptography.X509Certificates.X509Store("\\$computer\root",$lm)

    $store.Open($ro)

    $store.Certificates

    }

    Get-Cert "REMOTECOMPUTER"| ?{$_.NotAfter -lt (Get-Date)} | format-list -property PSPath,FriendlyName,NotAfter

    The code needs a little cleanup and I have not tested it. Let me know how it goes.

    by davetechsearch at 2013-04-02 12:05:28

    I'll give that a try with what I'm trying to do... I should probably provide more detail:

    1. I remote to a machine
    2. I attempt to get list the certificiates in UserDS (for the remoting user) while in the remote session
    3. Getting a listing of the contents of this container errors out. Listing other containers under \CurrentUser\ works just fine.

    by davetechsearch at 2013-04-02 12:14:29

    This is what I am running... runs fine locally, but still errors out at — "$store.oppen($ro)" — when in the remote session.

    $ro = [system.security.cryptography.x509certificates.openflags]"ReadOnly"
    $cu = [system.security.cryptography.x509certificates.storelocation]"CurrentUser"
    $store = new-object system.security.cryptography.x509certificates.x509store("userds","$cu")
    $store.open($ro)
    $store.certificates

    Exception calling "Open" with "1" argument(s): "The system cannot open the d
    evice or file specified.
    "
    At line:1 char:12
    + $store.open < <<< ($ro)
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationExcepti
    on
    + FullyQualifiedErrorId : DotNetMethodException

    As for my original intention... I was hoping to encrypt some data locally (encryption and decryption work fine locally), send it over the wire to its destination and decrypt it at the other end for use. I was hoping to use the thumbprint from the UserDS container to perform the encryption/decryption.

You must be logged in to reply to this topic.