0

I'm working on a small work order app with a database back end for our Help Desk. Part of it is tracking some basic information about my organization's laptops (Manufacturer, Model, Serial Number, who it's assigned to, etc). I would use a real programming language like C# or Java, but for reasons dictated by people over my head, I'm stuck with using what is available built into Windows 10 Enterprise, so PowerShell with WPF.

Our network has a Windows domain with a large Active Directory forest and smart card authentication. What I would like to do, if possible, is have the user select their smart card certificate (the user using this app will be different than the user who logged into Windows i.e. there will be multiple smart cards inserted) with a UAC prompt or Get-Credential prompt. Entering their pin is not a requirement, though it would be nice to confirm their identity. All I want is to retrieve some basic information from the certificate/card they select, such as display name and email address. I'll be using the email address to query my database for other information such as which laptop(s) they're assigned. I would like to avoid doing an Active Directory lookup if possible, but that option is not completely off the table.

Below are a few things I have found but they all are sort of partial solutions to what I'm trying to do and I'm not sure how to put it all together. Get-Credential prompts the user to pick a smart card and enter their pin, which does what I'm looking for up front, but in the back it returns a PSCredential object that contains a username (coded somehow, but I can't find which encoding is used, or maybe it's a UID) and SecureString password (not validated, the user can leave this blank or enter anything). I don't know what to do with this to get the information I want. Get-ADUser doesn't seem to be able to return a user object using a PSCredential object as identity. Is there something I am missing or not understanding about this? Is what I'm trying to do possible?

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-credential?view=powershell-5.1

View All Certificates On Smart Card

https://www.akaplan.com/blog/2013/10/get-users-mailaddress-from-smartcard-with-powershell/

https://blogs.msdn.microsoft.com/alejacma/2010/12/15/how-to-enumerate-all-certificates-on-a-smart-card-powershell/ This last link seems like it would work but I'm not sure how to put it into use. The documentation is very sparse.

Zero
  • 71
  • 1
  • 13
  • You can author PowerShell cmdlets using C# and then run them within PowerShell as that may be easier for you. https://msdn.microsoft.com/en-us/library/dd878342%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396 – Persistent13 Sep 08 '17 at 18:23
  • How do you expect to avoid an AD lookup unless the smartcard has that information somewhere? Additionally: I'd suggest looking at `Out-GridView` to avoid creating a WPF app in PS (very not-fun). Ultimately, what ARE you trying to do? – Maximilian Burszley Sep 08 '17 at 19:15
  • When people bring their laptop to the Help Desk for repairs, they are required to fill out a work order. The current solution is a MS Access database with a very buggy interface that outputs a PDF file as the customer copy. I'm trying to streamline the process and put a better front end on the same back end database. – Zero Sep 09 '17 at 21:03

1 Answers1

4

If I wanted to work with certificates based on the smart cards inserted at the time I would use certutil.exe to pull all of the smart card info. Then grab the certificate serial numbers from the resultant text and query the CurrentUser\MY certificate store matching the serial numbers. Once I had the certificates I would pass that info to Out-GridView with the -OutputMode Single parameter to allow the user to select a certificate. From there you have the user's info based on the certificate shown.

$SCSerials = certutil -scinfo -silent | Where{$_ -match 'Serial Number: (\S+)'} | ForEach {$Matches[1]}
$SelectedThumb = Get-ChildItem Cert:\CurrentUser\my | Where{$_.SerialNumber -in $SCSerials} | Select Subject,Issuer,NotBefore,NotAfter,Thumbprint | Out-GridView -Title 'Select a smartcard certificate.' -OutputMode Single |% Thumbprint
$UserCert = Get-Item Cert:\CurrentUser\My\$SelectedThumb

Then $UserCert.Subject is the distinguished name of the user and you can use that to query AD or whatever you want.

TheMadTechnician
  • 34,906
  • 3
  • 42
  • 56