Functions/Get-AccessCredential.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
Function Get-AccessCredential {
    <#
    .Synopsis
        Retreive a PsCredential object for access to a system or session-object.
    .DESCRIPTION
        A cached credential will be used if a credential XML-file is found. If no file is found the user need to provide info interactivally. The provided
        username and password is saved for later use.
        The saved credential file can only be decrypted by current user on current machine.
    .PARAMETER AccessName
        System name to retreive access to. This will be used in the saved file name.
    .PARAMETER CredFilesPath
        Folder to read/save credentials from/to.
    #.PARAMETER MachineProtectionScope
    # Only lock credential file to current computer. NOTE:ALL users with access to the computer may retreive credential info.
    .PARAMETER Renew
        Force renewal of credential file.
 
    .Notes
     
    #>

    [CmdletBinding()]
    PARAM(        
        [string]$AccessName,
        [string]$CredFilesPath,
        #[switch]$MachineProtectionScope,
        [switch]$Renew
    )

    #The MachineProtectionScope option is NOT recomended as ALL users with access to this machine may decrypt credentials
    #if ($MachineProtectionScope) {
    # $machineKey = [System.Text.Encoding]::UTF8.GetBytes((Get-ItemProperty registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\ -Name MachineGuid).MachineGUID.Replace('-',''))
    # $CredFileName = $env:ComputerName + "$AccessName.xml"
    #} else {
        $CredFileName = $env:ComputerName + "." + $env:UserName + "$AccessName.xml"
    #}

    if ([string]::IsNullOrEmpty($CredFilesPath)) { 
        $credFile = $CredFileName
    } else {
        $credFile = $CredFilesPath + "\" + $CredFileName
    }
    
    Write-Verbose "Using credfile $credFile"

    if ((Test-Path $credFile) -and (!$renew)) {
        try {
            $creds = Import-Clixml $credFile
            #if ($MachineProtectionScope) {
            # $machinePwd = ConvertTo-SecureString -String $creds.Password -Key $machineKey
            # $creds = New-Object System.Management.Automation.PSCredential($creds.UserName, $machinePwd)
            #}
        } catch {
            #Renew credentials if cache failed
            Write-Verbose "Renew credentials due to error"
            Get-AccessCredential @PsBoundParameters -renew
        }
    } else {
        #Retreive credentials interactivally
        #$creds=Get-Credential
        $creds = $host.ui.PromptForCredential("Get access credentials for $AccessName", "Please enter your access credentials", "", "")
        if (-not $creds) {
            Throw "No credentials provided in dialog!"
        }
        
        Write-Verbose "Save new credentials"
        #if ($MachineProtectionScope) {
        # $userPwd = ConvertFrom-SecureString -SecureString $($creds.Password) -Key $machineKey
        # @{UserName=$creds.UserName;Password=$userPwd} | Export-Clixml -Path $credFile -Force
        #} else {
            $creds | Export-Clixml -Path $credFile -Force
        #}
    }
    return $creds
}