2

My application requires a user to be authenticated against Active Directory. We are thinking of executing a PowerShell script using System.DirectoryServices.DirectoryEntry to which we pass a username and password.

I saw it mentioned in a different answer the fact that System.DirectoryServices.DirectoryEntry uses LDAP to read AD information. LDAP protocol by itself is not encrypted. You can use LDAPS but that requires setting up of CA. I would like to know if the network traffic generated by this command is secure by default - i.e. is it possible for the password to be sniffed over the network?

EDIT I have found that you can pass additional options to the DirectoryEntry instance. This is the sample code:

$username = $args[0]
$password = $args[1]

Function Test-ADAuthentication {
    param($username,$password)
    (new-object directoryservices.directoryentry "",$username,$password,Secure -bor Sealing).psbase.name -ne $null
}

Test-ADAuthentication $username $password

The fourth parameter is an enum AuthenticationTypes http://msdn.microsoft.com/en-us/library/system.directoryservices.authenticationtypes(v=vs.90).aspx

The values that seem of interest are: Secure & Sealing which in combination will encrypt the credentials

Many thanks for reading.

Katya S
  • 1,321
  • 3
  • 17
  • 31

2 Answers2

2

This is the best solution that I found to authenticate a user to AD in a Powershell script. According to MS docs, the Negotiate and Sealing flags together will encrypt the data: http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.contextoptions(v=vs.110).aspx

$username = $args[0]
$password = $args[1]

$pc = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext 'Domain', $system.Domain

return $pc.ValidateCredentials($username, $password, [DirectoryServices.AccountManagement.ContextOptions]::Negotiate -bor [DirectoryServices.AccountManagement.ContextOptions]::Sealing)
Katya S
  • 1,321
  • 3
  • 17
  • 31
0

If I remember correctly, it's not possible to authenticate to Active Directory in an unencrypted manner. Every domain controller establishes some sort of encrypted connection with a client before it accepts credentials.

Powershell authenticates to a DC using the same methods that other clients use. That is, whether you're entering the credentials at a Windows 8 login screen, a Sharepoint page, a custom-built program, or a Powershell prompt, the DC will authenticate in the same manner. You can modify AD's authentication mechanisms via Group Policy, but every mechanism encrypts the data.

I didn't find much documentation in a few minutes of Googling, but this article from University of Washington has a good overview of LDAP in general and LDAP as it relates to AD. Skip to the line reading "Active Directory supports four SASL authentication mechanisms"

http://www.netid.washington.edu/documentation/ldapAuth.aspx

Also, two links for GPO's related to login security. Tangientially related to your question, but they might be handy: http://technet.microsoft.com/en-us/library/dn169021%28v=ws.10%29.aspx http://technet.microsoft.com/en-us/library/jj852258%28v=ws.10%29.aspx

Bagheera
  • 1,358
  • 4
  • 22
  • 35
  • Hi Michael. Thank you for your time. In terms of LDAP - it is not encrypted by default unless you use LDAPS protocol, I knew that already. I'm not convinced re your second paragraph - Powershell is simply using a .NET library as in my code example above - unless ALL of powershell traffic is encrypted? However I have now found how to enable Secure+Sealing authentication, which according to the docs will provide secure Authentication using Kerberos... – Katya S Mar 06 '14 at 11:04