如何在Powershell中安全验证AD用户（加密凭据） [英] How to securely authenticate AD user in Powershell (encrypt credentials)

问题描述

我的应用程序要求根据Active Directory对用户进行身份验证。我们正在考虑使用System.DirectoryServices.DirectoryEntry来执行PowerShell脚本，并向其传递用户名和密码。

My application requires a user to be authenticated against Active Directory. We are thinking of executing a PowerShell script using System.DirectoryServices.DirectoryEntry to which we pass a username and password.

我看到它在另一个答案中提到了System .DirectoryServices.DirectoryEntry使用LDAP读取AD信息。 LDAP协议本身未加密。您可以使用LDAPS，但这需要设置CA。我想知道默认情况下此命令生成的网络流量是否安全-即是否可以通过网络嗅探密码？

I saw it mentioned in a different answer the fact that System.DirectoryServices.DirectoryEntry uses LDAP to read AD information. LDAP protocol by itself is not encrypted. You can use LDAPS but that requires setting up of CA. I would like to know if the network traffic generated by this command is secure by default - i.e. is it possible for the password to be sniffed over the network?

EDIT
我发现您可以将其他选项传递给DirectoryEntry实例。这是示例代码：

EDIT I have found that you can pass additional options to the DirectoryEntry instance. This is the sample code:

$username = $args[0]
$password = $args[1]

Function Test-ADAuthentication {
    param($username,$password)
    (new-object directoryservices.directoryentry "",$username,$password,Secure -bor Sealing).psbase.name -ne $null
}

Test-ADAuthentication $username $password

第四个参数是枚举AuthenticationTypes http://msdn.microsoft.com/zh-cn/library/system.directoryservices.authenticationtypes（v = vs.90）.aspx

The fourth parameter is an enum AuthenticationTypes http://msdn.microsoft.com/en-us/library/system.directoryservices.authenticationtypes(v=vs.90).aspx

看起来有趣的值是：Secure&密封结合使用会加密凭据

The values that seem of interest are: Secure & Sealing which in combination will encrypt the credentials

非常感谢您的阅读。

推荐答案

这是我发现的在Powershell脚本中对用户进行AD身份验证的最佳解决方案。根据MS文档，协商和密封标志一起将对数据进行加密： http://msdn.microsoft.com/zh-CN/library/system.directoryservices.accountmanagement.contextoptions（v = vs.110）.aspx

This is the best solution that I found to authenticate a user to AD in a Powershell script. According to MS docs, the Negotiate and Sealing flags together will encrypt the data: http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.contextoptions(v=vs.110).aspx

$username = $args[0]
$password = $args[1]

$pc = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext 'Domain', $system.Domain

return $pc.ValidateCredentials($username, $password, [DirectoryServices.AccountManagement.ContextOptions]::Negotiate -bor [DirectoryServices.AccountManagement.ContextOptions]::Sealing)

这篇关于如何在Powershell中安全验证AD用户（加密凭据）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！