January 30, 2014 at 8:40 am #12821
I have implemented Powershell Web Access using Server 2012 in my organization. I use it to deliver custom modules to our users ( who are highly technical and prefer a shell versus a gui ), who access it only from within our corporate network. Recently our IT Security team has demanded that I change the logon mechanism for this site, so that users do not enter their username and password, but instead, are logged-in using their windows session credentials.
I am at a loss as to how to implement this. One general approach might be to pre-populate the logon form with the current logged-on user credentials, by using some kind of a variable on the logon form, and then make those fields invisible.
One further wrinkle is that the users currently logon with CredSSP authentication type, so this would need to be preserved.
Any help with this would be greatly appreciated.
January 30, 2014 at 9:12 am #12822
According to the TechNet documentation on PWSA, "Windows PowerShell Web Access users must always provide a user name and password to authenticate their accounts on the gateway." (ref: http://technet.microsoft.com/en-us/library/dn282394.aspx ) Based on that, I don't think you'll be able to use integrated Windows authentication via IIS.
You could certainly automate Internet Explorer to enter the username and password fields for them, but that would require you to store the user's password in some fashion. If you go that route, be very careful about how you choose to store that password, to avoid creating a giant security hole for your users.
Personally, I would just accept that PSWA currently requires users to enter their username and password. It's not that big of an inconvenience.
January 30, 2014 at 10:21 am #12823
Any c# / IIS / powershell experts out there?
Do you guys think there is a way to call the current username/pwd by means of a variable?
Unfortunately, this is the only service in our organization that doesn't pass current credentials during authentication, and our IT Security department requires that there be no user input of passwords once users have logged-on to windows. It's not a question of user convenience.
thanks Dave for your response but I'm hoping someone here can help with re-engineering the way authentication happens is PSWA.
You must be logged in to reply to this topic.