Thycotic SercretServer and PowerShell

PowerShell is great at bridging the gap between different applications that normally don’t integrate. The problem is sometimes those different technologies have different ways of managing access and even if its based on Active Directory, it may not pass on the credential of the logged in user. Luckily most cmdlet developers will take a PowerShell Credential object for an access credential. But what do you do when you don’t want prompt for a password or embed it in the script. I’ve gotten to work with an excellent enterpise password manager made by Thycotic Software called SecretServer, it holds not just just user accounts but credit card, certificates, encryption keys, and almost anything else. It’s a web based application and includes a set of web services for accessing it outside the UI.
So let’s get to the script. I’ll be working with the Windows Authenticated service for now but SecretServer includes an non-Windows Authenticated service as well. First we need to create a Web Service Proxy object to connect to Secret Server and just use the logged in user to authenticate

#Url to the SercretServer application
$SSUri = "http://secretserver/winauthwebservices/sswinauthwebservice.asmx"
$SS = New-WebServiceProxy –UseDefaultCredential –Uri "$SSUri"

You can point your browser to the same URL to see a list of all the different methods available. Now that we have the proxy, we want to access a method called “GetSecret()” it takes the Secret Id as an argument and returns an XML Secret Definition. You can get the Secret Id by viewing the secret and looking in the url.
 

Rather that working with the full definition for we’ll pull the list of the Secrets attributes

$secretdef = $SS.GetSecret(4).Secret.Items

The properties we care about are FieldName and Value. We’re going to extract the values of the fields into variables to make them easier to work with. Since credentials that are domain based require that as part of the username we’ll check the use the presence of a “Domain” field so we can construct our credential properly.

$user = $($secretdef|Where-Object {$_.FieldName -eq "Username" }).Value
$domain = $($secretdef|where-object {$_.FieldName -eq "Domain" }).Value

#Have to force SecurString to take the PlainText
$secpasswd = ConvertTo-SecureString $($secretdef|where-object {$_.FieldName -eq "Password" }).Value -asPlainText -Force
 
Now we have everything we need to create a Credential object

#check to see if the account is a domain account
  
if ( $domain ) {   
 $cred = New-Object System.Management.Automation.PSCredential("$user@$domain",$secpasswd)
 } else {  
 $cred = New-Object System.Management.Automation.PSCredential($user,$secpasswd) 
 }

Now we can pass “$cred” on to any cmdlet that accepts a PSCredential object as a parameter. I’ve included a function that wraps it all up.

Get-SecretServerCred

Next time I’ll show how we can use the Secret’s Name rather than Id number to make it a little easier.