0

I am trying to figure out if there is a way to take a stored credential in Windows Cred vault and pass it to a bat file that needs the credentials. I found a very old bat file that has a username and password in clear text. These are used to authenticate against a portal and have to be read by the bat in clear text. I have stored credentials on my server that I want to use so I can close this security gap but I am not 100% sure how to pass the password because it has to be in clear text. Here is what I have:

$creds = Get-StoredCredential -Target "Username"
$password = $creds.Password
$username = $creds.UserName
Start-Process cmd.exe "/c C:\trigger.bat `"argument1`" $username $password `"Argument2`" Argument3" -NoNewWindow -Verbose

When I enter the password in clear text in my line it works. If I use $password it throws an auth error. I assume that this is because the $password is a stored PSObject and isn't getting passed to cmd "correctly". Is there a way around this?

PS: Get-StoredCredential is from the CredentialManager module.

EvanM
  • 155
  • 8
  • 1
    Is it not working? (Don't forget to ask your question.) – Bill_Stewart Oct 01 '19 at 15:45
  • Thank you. I added some details and my question. – EvanM Oct 01 '19 at 18:03
  • Do `$username` and `$password` contain the values you expect them to? I tested this module ([PowerShell Gallery](https://www.powershellgallery.com/packages/CredentialManager/), [GitHub](https://github.com/davotronic5000/PowerShell_Credential_Manager)) and a password I saved for accessing a standalone SMB server is returned with an empty `Password` property, though I couldn't get it to produce any (non-warning) results without passing `-AsCredentialObject`. – Lance U. Matthews Oct 01 '19 at 19:09
  • Yes, when called I get the standard hash table with User name populated correctly and the password is "System.Security.SecureString" – EvanM Oct 01 '19 at 19:10
  • To add a little more detail so it becomes more convoluted. The bat file is a vendor provided file that then takes the parameter of the bat file passes it into a compiled Jar file where it authenticates against my AD structure through SSO enabled on the application. If I type the credentials in clear text this all works, for obvious reasons this is not ideal. – EvanM Oct 01 '19 at 19:12
  • I had written an answer based on [a different `Get-StoredCredential`](https://www.powershellgallery.com/packages/f5-deploy/1.0.50/Content/public%5CGet-StoredCredential.ps1), but perhaps it's still applicable. When I invoke `Get-StoredCredential` from the `CredentialManager` module the result object's `Password` property I believe was of type `String`, but maybe that's just because I used `-AsCredentialObject`. I will undelete and edit my answer. – Lance U. Matthews Oct 01 '19 at 19:24

2 Answers2

2

Get-StoredCredential, when called without -AsCredentialObject, yields PSCredential instances. The PSCredential.Password property you are accessing is not a String but a SecureString, so you cannot retrieve the plain text password like you are attempting.

Based on Convert a secure string to plain text you can use the PSCredential to get a NetworkCredential and then use its Password property...

$password = $creds.GetNetworkCredential().Password

In any case, when you get an authentication error using $username and $password you should ensure those variables contain the values you expect them to.

Lance U. Matthews
  • 15,725
  • 6
  • 48
  • 68
2

If $creds contains a PSCredential object, then you should be able to replace this:

$password = $creds.Password

with this:

$password = $creds.GetNetworkCredential().Password
Bill_Stewart
  • 22,916
  • 4
  • 51
  • 62