0

I would like to automate some administrative tasks in a C# program, and for that I need to acquire credentials (username and password of a domain user with the required rights, for example an Administrator). Then I want to store "the login" securely, so I don't have to ask for it for every task I want to perform. I know multiple official ways to ask for credentials (for example CredUIPromptForWindowsCredentials, or Powershell's Get-Credential), but these return the username and password in plaintext (or as a SecureString), which I have to securely store myself.

Is there a way to get a kind of login token that allows me to do stuff on the remote computer, without being able to recover the password? I am looking for the windows equivalent of a Kerberos ticket granting ticket - you do kinit, enter your password, and get a ticket that authenticates you on the network without using your password again (and the ticket expires after a set time).

One workaround I thought of is to not handle the credentials myself, but to use Window's authentication directly and run a sub-process as a different user. The downside would be that this make my application much more complicated, and it will only likely work from within the same domain.

For clarification, I'd like to use various administrative interfaces (WMI, Powershell remoting, PSExec), and it would preferably work from any computer even if outside of the target computers' domain. The lifetime of the "token" would be at least the runtime of my program, but it would also be useful if I could save the "token" to disk and reuse it multiple times a day.

jdm
  • 9,470
  • 12
  • 58
  • 110
  • You can use `LogonUser` and `ImpersonateLoggedOnUser` from the Windows API advapi32.dll module. The LogonUser provides you a token that can be used for impersonation. However it requires the `LogonUser` and `ImpersonateLoggedOnUser` code to be executed in the targets computer domain as I know. The `LogonUser` however requires login and password in plain text. I'm not sure that you can act as domain user from the computer that is not joined to the domain. You can write service, install it on target computer in the domain and send commands to the service but it is not about security I'm afraid. – oleksa Dec 28 '19 at 10:14
  • _"the windows equivalent of a Kerberos ticket granting ticket"_ >> that's exactly what Windows uses, when bound to Active Directory... just run `klist.exe` on your PC. – Samson Scharfrichter Jan 05 '20 at 14:03

1 Answers1

0

Did you try Windows Credential Manager for this?

You can store the credential in Windows Credential Manager for one time and then use PowerShell to access it programmatically. It is Microsoft's secure way to store credentials locally.

Install Credential Manager on Windows machine

Install-Module -Name Credential Manager

To store new credentials using powershell

New-StoredCredential -Target Contoso -Username User1 -Password Password

there is another way to store new password in Credential Manager

Get-Credential -Username User2 -Message “Please enter your password:” | New-StoredCredential -Target Contoso

& then to retrieve stored credentials use Get-StoredCredential

$Cred = Get-StoredCredential -Target Contoso

Unfortunately, there isn’t a lot of documentation that comes with the Credential Manager module but you can get more details with following command

Get-Help Get-StoredCredential

Community
  • 1
  • 1
Kundan
  • 1,394
  • 1
  • 13
  • 26