Zack Meier
87 lines
3.8 KiB
Plaintext
87 lines
3.8 KiB
Plaintext
Set-PSUAuthenticationMethod -Type "Form" -ScriptBlock {
|
|
param(
|
|
[PSCredential]$Credential
|
|
)
|
|
|
|
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
|
|
|
|
# is this a UPN?
|
|
if ( $Credential.UserName.IndexOf('@') -gt -1 ) {
|
|
|
|
# juggle back and forth from SID to get NTAccount format
|
|
$NTAccountName = ([System.Security.Principal.NTAccount]$Credential.UserName).Translate([System.Security.Principal.SecurityIdentifier]).Translate([System.Security.Principal.NTAccount]).Value
|
|
|
|
} elseif ( $Credential.UserName.IndexOf('\') -gt -1 ) {
|
|
|
|
# already NTAccount format
|
|
$NTAccountName = $Credential.UserName
|
|
|
|
} else {
|
|
|
|
# someone didn't enter their domain...
|
|
$NTAccountName = "NDGOV\" + $Credential.GetNetworkCredential().UserName
|
|
|
|
}
|
|
|
|
# split domain and username
|
|
$DomainName, $UserName = $NTAccountName.Split('\',2)
|
|
|
|
# perform auth with AD
|
|
$PrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext( 'Domain', $DomainName )
|
|
$Authenticated = $PrincipalContext.ValidateCredentials( $UserName, $Credential.GetNetworkCredential().Password, 'Negotiate, Sealing' )
|
|
|
|
if ( $Authenticated ) {
|
|
|
|
# discover the user principal, needed for the user DN
|
|
$UserPrincipal = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($PrincipalContext, [System.DirectoryServices.AccountManagement.IdentityType]::SamAccountName, $NTAccountName )
|
|
|
|
# get the user's domain
|
|
#$UserDomainContext = [System.DirectoryServices.ActiveDirectory.DirectoryContext]::new( 'Domain', $DomainName, $Credential.UserName, $Credential.GetNetworkCredential().Password )
|
|
#$UserDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain( $UserDomainContext )
|
|
|
|
# get the computer's domain
|
|
#$ComputerDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
|
|
|
|
# hold all the user groups
|
|
[System.Collections.Generic.List[hashtable]]$Groups = @()
|
|
|
|
# get groups from user's domain
|
|
[adsisearcher]::new( $UserDomain.GetDirectoryEntry(), "(&(objectCategory=group)(objectClass=group)(member:1.2.840.113556.1.4.1941:=$($UserPrincipal.DistinguishedName)))", @('name') ).FindAll().ForEach({
|
|
|
|
$Groups.Add(@{
|
|
Type = 'Group'
|
|
Value = $_.Properties['name'][0]
|
|
Issuer = $UserDomain.Name
|
|
})
|
|
|
|
})
|
|
<#
|
|
# get groups from the computer's domain (if different)
|
|
if ( $UserDomain.Name -ne $ComputerDomain.Name ) {
|
|
|
|
# lookup the user's foreign security principal in the computer's domain
|
|
$ForeignSecurityPrincipal = [adsisearcher]::new( $ComputerDomain.GetDirectoryEntry(), "(&(objectCategory=foreignSecurityPrincipal)(objectClass=foreignSecurityPrincipal)(name=$($UserPrincipal.Sid)))", @('distinguishedName') ).FindOne().Properties['distinguishedName'][0]
|
|
|
|
# find all the group memberships
|
|
[adsisearcher]::new( $ComputerDomain.GetDirectoryEntry(), "(&(objectCategory=group)(objectClass=group)(member:1.2.840.113556.1.4.1941:=$ForeignSecurityPrincipal))", @('name') ).FindAll().ForEach({
|
|
|
|
$Groups.Add(@{
|
|
Type = 'Group'
|
|
Value = $_.Properties['name'][0]
|
|
Issuer = $ComputerDomain.Name
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
#>
|
|
New-PSUAuthenticationResult -Success -UserName $UserPrincipal.UserPrincipalName -Claims {
|
|
$Groups | ForEach-Object { New-PSUAuthorizationClaim @_ }
|
|
}
|
|
|
|
} else {
|
|
|
|
New-PSUAuthenticationResult -ErrorMessage 'Bad username or password :)'
|
|
|
|
}
|
|
} |