Add inbuilt support for Windows AD Authentication

[Badgerati]

Need to add an inbuilt validator for auth which allows Windows AD authentication.

This can definitely been supported on Windows PowerShell, but only exists in PowerShell Core 6.1+. (And even then, only for Windows, not on *nix environments - so will need another issue to support Windows AD on *nix).

Idea:

auth use login -t basic -v 'windows-ad' -o @{ 'domain' = 'test' }

• This will automatically source the credentials from the Basic Header, and auth against the test domain Windows AD

[majkinetor]

This can definitely been supported on Windows PowerShell, but only exists in PowerShell Core 6.1+.

Can you clarify or give link ?

[Badgerati]

I was looking at System.DirectoryServices.DirectoryEntry to do it, and when I tried to get that namespace on 6.0 it couldn't find it - until I updated to 6.1

https://docs.microsoft.com/en-us/powershell/scripting/whats-new/what-s-new-in-powershell-core-61?view=powershell-6#windows-powershell-type-accelerators

[Badgerati]

Just tried on a different machine with v6.0 - make sure my installation wasn't knackered - and it also couldn't see the namespace until updated to v6.1.

[majkinetor]

AFAIK it requires AD posh module. See:

• https://4sysops.com/wiki/how-to-install-the-powershell-active-directory-module/

[Badgerati]

I was aware the module existed, but that's a far better article on installing than I'd seen! Ones I read made it sound like a nightmare to install.

I'll look into having that installed on an AD and invoking commands remotely against it tomorrow; least this means it should also hopefully work on *nix, too.

[majkinetor]

Its as simple as cinst rsat in general case.

least this means it should also hopefully work on *nix, too.

You definitely need to go original 6.1 route here. Having dependency installed should not be a concern of the pode IMO, it should be left to users. Documentation IMO should be enough.

[Badgerati]

Oh yeah, definitely. What I was thinking of doing was having in the docs that Windows AD auth is supported, but you need to have the AD module installed on the AD you wish to auth against - pode won't do this for you. (and potentially something like if the module isn't there, then it will do a naive AD check using DirectoryEntry).

As in the article PowerShell Core needs to run the commands remotely against the AD to use the module. Though, doing some quick digging, Linux->Windows remoting doesn't appear to work unless you setup WinRM to allow unencrypted traffic on the AD 😕.

So sort of back to square one on Linux.

[Badgerati]

So now I'm awake, rather than half dead 👀

The RSAT module appears to not actually needed, unless I need to use the Get-AD* commands - which for this it seems I don't need to.

In the examples I could find (ie: https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Test-Domain-b71cc520), people use the DirectoryEntry class to validate the credentials, but only seem to use the AD module for further validation to see why an account may have failed.

For this, PS and 6.1 should be enough I think (+docs).

I'll keep digging for a *nix route, was hoping realmd could be a possible option but might not be 😞. This was originally just to get it in for Windows, so may just raise a second issue for *nix only.

[majkinetor]

There are several winrm implementations on Linux (not sure for Unix) that are used around in several projects I used such as:

• https://github.com/WinRb/WinRM (ruby)
• https://github.com/xebialabs/overthere (java)

On *nix you could also make it work by using OpenSSH instead to domain and then invoking its AD cmdlets.

Not elegant as on Windows, but this is probably of low importance and the problem may be resolved in near future by MS.

See also

• https://long2know.com/2017/06/net-core-ldap/

[Badgerati]

Aye, hopefully MS will add support in dotnet core at some point.

From the last link, the https://github.com/dsbenghe/Novell.Directory.Ldap.NETStandard library seems like a good one for some quick docs to use LDAP on *nix.