none
Get-Credential with smartcard and PIN RRS feed

  • Question

  • I write lots of scripts for automation.  Administrators here run as a low privilege account and elevate what they need to an administrative account.

    I want to be able to use Get-Credential in my scripts to get that elevating account from the user to do actions, but I have a problem.  Get-Credential works fine with username/password logins.  It does not work at all with a Smart Card and PIN.

    How can I use Smart Card and PIN credentials in a PowerShell script to elevate actions using those alternate credentials?

    Wednesday, April 9, 2014 2:18 PM

Answers

All replies

  • Why do you need to? The user should still know the password for the account that uses the smartcard.


    -- Bill Stewart [Bill_Stewart]

    Wednesday, April 9, 2014 2:40 PM
    Moderator
  • All in all this is a very insecure way to give users access.  You should use delegation to a custom group and make the user a member of that group.  In  that way the smart card would be the control for authentication.  This is how Windows is designed.  You can also use a compiled program that uses two factor authentication to force the user to add a second layer of validation.

    All of this depends on delegation.

    To use a smart card for exernal credentials would require you to also build a compiled program that validates against a smart card.


    ¯\_(ツ)_/¯

    Wednesday, April 9, 2014 3:36 PM
  • Ok, so the shortest answer is, "No, you can't use a smartcard and pin with Get-Credentials.  You must use a login/password", correct?
    Thursday, April 10, 2014 7:42 PM
  • Ok, so the shortest answer is, "No, you can't use a smartcard and pin with Get-Credentials.  You must use a login/password", correct?

    Yes - or you can write a custom login form that calls the smartcard API and retrieves the credential.  You can also look for an add-in on the web as someone else has likely already done this.


    ¯\_(ツ)_/¯

    Thursday, April 10, 2014 8:00 PM
  • Correct. Here's the documentation for the PSCredential class:

    http://msdn.microsoft.com/en-us/library/System.Management.Automation.PSCredential.aspx

    You can set/retrieve a UserName property and you can set the password for the credential using a SecureString object, but it doesn't have a  method for prompting for a smartcard PIN.


    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by GPF Thursday, April 17, 2014 2:01 PM
    Thursday, April 10, 2014 8:01 PM
    Moderator