{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 来,给爷笑一个 的问题《How to securely authenticate AD user in Powershell》','https://www.manongdao.com/q-875310.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
My application requires a user to be authenticated against Active Directory. We are thinking of executing a PowerShell script using System.DirectoryServices.DirectoryEntry to which we pass a username and password.
I saw it mentioned in a different answer the fact that System.DirectoryServices.DirectoryEntry uses LDAP to read AD information. LDAP protocol by itself is not encrypted. You can use LDAPS but that requires setting up of CA. I would like to know if the network traffic generated by this command is secure by default - i.e. is it possible for the password to be sniffed over the network?
EDIT I have found that you can pass additional options to the DirectoryEntry instance. This is the sample code:
$username = $args[0]
$password = $args[1]
Function Test-ADAuthentication {
param($username,$password)
(new-object directoryservices.directoryentry "",$username,$password,Secure -bor Sealing).psbase.name -ne $null
}
Test-ADAuthentication $username $password
The fourth parameter is an enum AuthenticationTypes http://msdn.microsoft.com/en-us/library/system.directoryservices.authenticationtypes(v=vs.90).aspx
The values that seem of interest are: Secure & Sealing which in combination will encrypt the credentials
Many thanks for reading.
This is the best solution that I found to authenticate a user to AD in a Powershell script. According to MS docs, the Negotiate and Sealing flags together will encrypt the data: http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.contextoptions(v=vs.110).aspx
If I remember correctly, it's not possible to authenticate to Active Directory in an unencrypted manner. Every domain controller establishes some sort of encrypted connection with a client before it accepts credentials.
Powershell authenticates to a DC using the same methods that other clients use. That is, whether you're entering the credentials at a Windows 8 login screen, a Sharepoint page, a custom-built program, or a Powershell prompt, the DC will authenticate in the same manner. You can modify AD's authentication mechanisms via Group Policy, but every mechanism encrypts the data.
I didn't find much documentation in a few minutes of Googling, but this article from University of Washington has a good overview of LDAP in general and LDAP as it relates to AD. Skip to the line reading "Active Directory supports four SASL authentication mechanisms"
http://www.netid.washington.edu/documentation/ldapAuth.aspx
Also, two links for GPO's related to login security. Tangientially related to your question, but they might be handy: http://technet.microsoft.com/en-us/library/dn169021%28v=ws.10%29.aspx http://technet.microsoft.com/en-us/library/jj852258%28v=ws.10%29.aspx