zmeier/Backup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Zack Meier
2026-04-15 15:45:50 -05:00
commit 1d304511b8
613 changed files with 140998 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal/.universal/authentication.ps1
+89
View File
@@ -0,0 +1,89 @@
Set-PSUAuthenticationMethod -Type "Form" -ScriptBlock {
param(
[PSCredential]$Credential
)
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
# is this a UPN?
if ( $Credential.UserName.IndexOf('@') -gt -1 ) {
# juggle back and forth from SID to get NTAccount format
$NTAccountName = ([System.Security.Principal.NTAccount]$Credential.UserName).Translate([System.Security.Principal.SecurityIdentifier]).Translate([System.Security.Principal.NTAccount]).Value
}
elseif ( $Credential.UserName.IndexOf('\') -gt -1 ) {
# already NTAccount format
$NTAccountName = $Credential.UserName
}
else {
# someone didn't enter their domain...
$NTAccountName = "NDGOV\" + $Credential.GetNetworkCredential().UserName
}
# split domain and username
$DomainName, $UserName = $NTAccountName.Split('\', 2)
# perform auth with AD
$PrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext( 'Domain', $DomainName )
$Authenticated = $PrincipalContext.ValidateCredentials( $UserName, $Credential.GetNetworkCredential().Password, 'Negotiate, Sealing' )
if ( $Authenticated ) {
# discover the user principal, needed for the user DN
$UserPrincipal = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($PrincipalContext, [System.DirectoryServices.AccountManagement.IdentityType]::SamAccountName, $NTAccountName )
# get the user's domain
$UserDomainContext = [System.DirectoryServices.ActiveDirectory.DirectoryContext]::new( 'Domain', $DomainName, $Credential.UserName, $Credential.GetNetworkCredential().Password )
$UserDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain( $UserDomainContext )
# get the computer's domain
#$ComputerDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
# hold all the user groups
[System.Collections.Generic.List[hashtable]]$Groups = @()
# get groups from user's domain
#[adsisearcher]::new( $UserDomain.GetDirectoryEntry(), "(&(objectCategory=group)(objectClass=group)(member:1.2.840.113556.1.4.1941:=$($UserPrincipal.DistinguishedName)))", @('name') ).FindAll().ForEach({
[adsisearcher]::new( $UserDomain.GetDirectoryEntry(), "(&(objectCategory=group)(objectClass=group)(member:1.2.840.113556.1.4.1941:=$($UserPrincipal.DistinguishedName))(name=ITD-PSUniversal-*))", @('name') ).FindAll().ForEach({
$Groups.Add(@{
Type = 'Group'
Value = $_.Properties['name'][0]
Issuer = $UserDomain.Name
})
})
<#
# get groups from the computer's domain (if different)
if ( $UserDomain.Name -ne $ComputerDomain.Name ) {
# lookup the user's foreign security principal in the computer's domain
$ForeignSecurityPrincipal = [adsisearcher]::new( $ComputerDomain.GetDirectoryEntry(), "(&(objectCategory=foreignSecurityPrincipal)(objectClass=foreignSecurityPrincipal)(name=$($UserPrincipal.Sid)))", @('distinguishedName') ).FindOne().Properties['distinguishedName'][0]
# find all the group memberships
[adsisearcher]::new( $ComputerDomain.GetDirectoryEntry(), "(&(objectCategory=group)(objectClass=group)(member:1.2.840.113556.1.4.1941:=$ForeignSecurityPrincipal))", @('name') ).FindAll().ForEach({
$Groups.Add(@{
Type = 'Group'
Value = $_.Properties['name'][0]
Issuer = $ComputerDomain.Name
})
})
}
#>
New-PSUAuthenticationResult -Success -UserName $UserPrincipal.UserPrincipalName -Claims {
$Groups | ForEach-Object { New-PSUAuthorizationClaim @_ }
}
}
else {
New-PSUAuthenticationResult -ErrorMessage 'Bad username or password :)'
}
}