1

Im trying to make a rudimentary credential store for some service accounts on a web app. I have a web page that I put in the username and password and it POSTs to the code below

Param
    (
        [Parameter(Mandatory = $true)] $Username,
        [Parameter(Mandatory = $true)] $Password
    )

$secpwd = $Password | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString
$newline = "$($Username),$($secpwd)"
$newline | Add-Content "..\Database\accounts.csv"

For whatever reason what I get is username,blank in the csv and Im not entirely sure why. I did rewrite this locally using params gathered from the command line and that test works. In an earlier interation of this code it would actually return the plain text password.

EDIT: Im adding the output of a try/catch: ConvertFrom-SecureString : The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.

Improve this question
2
  • Is there a difference on your work machine when you step through the code with $Username when run as admin versus standard user context? Is $secpwd presented in your file either way? Are your usernames all numbers? Maybe type inference since not specified in your parameters might be part of your issue Commented Jan 4, 2019 at 20:03
  • The only thing I can think of is that running the local version is using the logged in user. Technically the account I use to access these files is an admin account, so that might be why the local version works vs the web version. Here is the output of a try/catch: ConvertFrom-SecureString : The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating. Commented Jan 4, 2019 at 20:12

1 Answer 1

Reset to default
1

I think I got it figured out. I think that since this is a website, it doesnt have a user logged in technically. Since it doesnt I have to use a key in order to encrypt the password. So now my code looks like this:

Param
    (
        [Parameter(Mandatory = $true)] $Username,
        [Parameter(Mandatory = $true)] $Password
    )

try {
    $key = Get-Content "..\Database\keyfile.key"
    $secpwd = $Password | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString -key $key
    $newline = "$($Username),$($secpwd)"
    $newline | Add-Content "..\Database\accounts.csv"
}

catch {
    $Error
}

Also, this is the code to generate the key in the keyfile:

$keyfile = "..\Database\keyfile.key"
$key = New-Object Byte[] 16
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($key)
$key | out-file $keyfile
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.