{"id":950,"date":"2020-02-18T12:37:36","date_gmt":"2020-02-18T11:37:36","guid":{"rendered":"http:\/\/www.vatland.no\/?p=950"},"modified":"2020-02-20T16:58:02","modified_gmt":"2020-02-20T15:58:02","slug":"secretservertycotic-plugin-for-powershell-secretsmanagement-module","status":"publish","type":"post","link":"https:\/\/www.vatland.no\/index.php\/secretservertycotic-plugin-for-powershell-secretsmanagement-module\/","title":{"rendered":"SecretServer(Thycotic) plugin for powershell SecretsManagement module."},"content":{"rendered":"

With the new powershell module SecretsManagement it is possible to add plugins. The new module is used to get\/add\/remove credentials. I created a plugin for secretserver to this module.<\/p>\n

To get started you will have to install secretsmanagement:
\nInstall-Module -Name Microsoft.Powershell.SecretsManagement -AllowPrerelease
\nIf -AllowPrerelase is not an option you would have to update PowershellGet first. ( install-script powershellget )<\/p>\n

After SecretManagement has been installed you can run : <\/p>\n

add-secret -Name "Test" -secret (get-credential) -vault -builtinlocalvault <\/pre>\n
, followed by <\/p>\n
get-secret Test <\/pre>\n
.<\/p>\n
But I would like to have a uniform cmdlet for all my credentials. So I used Secrets Management Module Vault Extensions<\/a> to get me started.<\/p>\n
If you would like to install my module from powershell gallery run : <\/p>\n
install-module -name secretsmanagement.secretserver<\/pre>\n
A bit more info for those interested<\/p>\n
First created a new folder structure below C:\\Program Files\\WindowsPowerShell\\Modules\\
\nSecretsmanagement\\0.0.3\\SecretsManagementExtension
\nIn the version folder “0.0.3” i added 2 files : Readme.txt (How to register vault) and  SecretsManagement.SecretServer.psd1 ( Datafile for the module)<\/p>\n
\r\n# Module manifest for module 'SecretsManagement.SecretServer'\r\n# Generated by: Atle Vatland\r\n# Generated on: 2\/12\/2020\r\n@{\r\n# Script module or binary module file associated with this manifest.\r\n# RootModule = ''\r\n# Version number of this module.\r\nModuleVersion = '0.0.3'\r\n# Supported PSEditions\r\nCompatiblePSEditions = @('Desktop')\r\n# ID used to uniquely identify this module\r\nGUID = 'e25aacec-637f-4935-bbd9-463a75ba46ea'\r\n# Author of this module\r\nAuthor = 'Atle Vatland'\r\n# Copyright statement for this module\r\nCopyright = '(c) 2020 Atle Vatland. All rights reserved.'\r\n# Description of the functionality provided by this module\r\nDescription = 'Proof of concept for Secretserver( by Thycotic ) vault extension for powershell. Remove-secret is not implemented in this test.'\r\n# Modules that must be imported into the global environment prior to importing this module\r\nPowershellVersion = '5.1'\r\n}\r\n<\/pre>\n
The subfolder has to be named “SecretsManagementExtension” also the scripts has to be named SecretsManagementExtension.psm1 and .psd1
\nWhat gave me some hassle was that the add-secret cmdlet actually calls set-secret in the extension.<\/p>\n
SecretsManagementExtension.psd1:<\/p>\n
\r\n@{\r\n    ModuleVersion = '1.0'   \r\n   RootModule = '.\\SecretsManagementExtension.psm1'\r\n   PowershellVersion = '5.1'\r\n    FunctionsToExport = @('Get-Secret','Set-Secret','Remove-Secret','Get-SecretInfo')\r\n    PrivateData = @{\r\n    PSData = @{\r\n        # A URL to the license for this module.\r\n        LicenseUri = 'https:\/\/opensource.org\/licenses\/MIT'\r\n   } # End of PSData hashtable\r\n  } # End of PrivateData hashtable\r\n}\r\n<\/pre>\n
Have not implemented remove-secret as we do not want to to delete any secrets.
\nSecretsManagementExtension.psm1:<\/p>\n
\r\n# Licensed under the MIT License.\r\n\r\nfunction Get-Secret\r\n{\r\n    param (\r\n        [string]$Name,\r\n        [hashtable]$AdditionalParameters\r\n    )\r\n        $where = $AdditionalParameters.secretserveruri\r\n        $ws = New-WebServiceProxy -uri $where -Credential $AdditionalParameters.secretservercredential #-ErrorAction SilentlyContinue\r\n        $wsResult = $ws.GetSecret([int]$name, $false, $null)\r\n        [PSCredential]::new($wsResult.Secret.Items[1].value.ToString(), ($wsResult.Secret.Items[2].value.ToString()|ConvertTo-SecureString -AsPlainText -Force))       \r\n}\r\n\r\nfunction set-secret\r\n{\r\n    param (\r\n        [string] $Name,\r\n        [object] $Secret,\r\n        [hashtable] $AdditionalParameters\r\n    )\r\n   \r\n    $where =  $AdditionalParameters.secretserveruri\r\n    $cred= $AdditionalParameters.secretservercredential\r\n    $secretserverfolder=$AdditionalParameters.secretserverfolderid    \r\n    if($secretserverfolder -eq $null){\r\n        $secretserverfolder=44\r\n    }\r\n    $domain=$Name\r\n    $templatename=$AdditionalParameters.secretservertemplate\r\n    if($templatename -eq $null){\r\n        $templatename= "Windows Account"\r\n    }\r\n        if($Secret -eq $null){\r\n        throw "Secret can not be null."\r\n    }\r\n    elseif($secret -is [string]){\r\n        throw "String is currently not supported"\r\n    }\r\n    elseif($secret -is [hashtable]){\r\n        throw "String is currently not supported"\r\n    }\r\n    elseif ($secret -is [PSCredential]){\r\n        $username = $Secret.username\r\n        $password = $secret.GetNetworkCredential().password\r\n    }    \r\n    $ws = New-WebServiceProxy -uri $where -Credential $cred \r\n    # Get Template\r\n    $template = $ws.GetSecretTemplates().SecretTemplates | Where {$_.Name -eq $templateName}\r\n    # Set fields info\r\n    $secretName = $domain + "-" + $UserName\r\n    $secretItemFields = (($template.Fields | Where {$_.DisplayName -eq "Machine"}).Id, ($template.Fields | Where {$_.DisplayName -eq "Username"}).Id, ($template.Fields | Where {$_.DisplayName -eq "Password"}).Id, ($template.Fields | Where {$_.DisplayName -eq "Notes"}).Id)\r\n    $secretItemValues=($domain,$UserName,$password, "")\r\n    $folderId = $secretserverfolder\r\n    # Add secret to secretserver.\r\n    $addResult = $ws.AddSecret($template.Id, $secretName, $secretItemFields, $secretItemValues, $folderId)\r\n    if($addResult.Errors.Count -gt 0){\r\n        return $false\r\n    }else{\r\n        return $true\r\n    }\r\n}\r\n\r\nfunction Remove-Secret\r\n{\r\n    param (\r\n        [string] $Name,\r\n        [hashtable] $AdditionalParameters\r\n    )\r\n    throw "Not implemented"\r\n}\r\n\r\nfunction Get-SecretInfo\r\n{\r\n    param(\r\n        [string] $filter,\r\n        [hashtable] $AdditionalParameters\r\n    )\r\n    if ([string]::IsNullOrEmpty($filter)) { $filter = "*" }\r\n    $where =  $AdditionalParameters.secretserveruri\r\n    $ws = New-WebServiceProxy -uri $where -Credential $AdditionalParameters.secretservercredential # -ErrorAction SilentlyContinue\r\n    $hits=$ws.SearchSecrets($filter,$null,$null)\r\n    $result=@()\r\n    foreach($hit in $hits.SecretSummaries){\r\n    $result+= ([pscustomobject] @{\r\n        Name = $($hit.secretid.tostring())                                                                   \r\n        Value  = $($hit.secretName.ToString())\r\n        })\r\n    }\r\n    $result\r\n}\r\n<\/pre>\n
To register this extension for module for SecretsManagement there are some required parameters.
\nCredentials used to access secretserver, secretserver web service url, default template and default folder.
\nCredential and parameters are stored encrypted in Credential Manager.<\/p>\n
\r\n[pscredential]$c=Get-Credential  # Secretserver credential\r\n \r\n Register-SecretsVault -Name "VaultName" -ModuleName secretsmanagement.secretserver -VaultParameters @{\r\n    secretservercredential=$c    # Account used to connect to secret server.\r\n    secretserveruri="https:\/\/secretserver.domain.local\/secretserver\/winauthwebservices\/sswinauthwebservice.asmx" # Webservice uri\r\n    secretserverfolderid="44"    # New secrets are stored in this folder. Folder id -1 is default if not specified.\r\n    secretservertemplate="Windows Account"  # Template used when creating new secrets. "Windows Account" is default if not specified.\r\n }\r\n <\/pre>\n","protected":false},"excerpt":{"rendered":"
With the new powershell module SecretsManagement it is possible to add plugins. The new module is used to get\/add\/remove credentials. I created a plugin for secretserver to this module. To get started you will have to install secretsmanagement: Install-Module -Name Microsoft.Powershell.SecretsManagement -AllowPrerelease If -AllowPrerelase is not an option you would have to update PowershellGet first. … Continue reading SecretServer(Thycotic) plugin for powershell SecretsManagement module.<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"SecretServer(Tycotic) plugin for powershell SecretsManagement module.","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[48],"tags":[93,91,92,59,94],"class_list":["post-950","post","type-post","status-publish","format-standard","hentry","category-powershell","tag-add-secret","tag-credential","tag-get-secret","tag-powershell","tag-secretsmanagement"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_likes_enabled":false,"jetpack-related-posts":[{"id":920,"url":"https:\/\/www.vatland.no\/index.php\/get-secretserver-secret\/","url_meta":{"origin":950,"position":0},"title":"Get Secretserver secret","author":"Atle","date":"October 3, 2019","format":false,"excerpt":"Since we are using SecretServer as our credential store it is of great help to be able to get credentials directly from powershell. This is a small function that connects to secretserver webservices and retrieve a secret based on secred ID. The function will connect to the webservice as the\u2026","rel":"","context":"In "Development"","block_context":{"text":"Development","link":"https:\/\/www.vatland.no\/index.php\/category\/development\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":899,"url":"https:\/\/www.vatland.no\/index.php\/csp-access-to-tenants-using-powershell-part-2\/","url_meta":{"origin":950,"position":1},"title":"CSP access to tenants using powershell. Part 2","author":"Atle","date":"September 20, 2019","format":false,"excerpt":"In part 1 we created the Azure Enterprise App for Partnercenter and used this information to connect using powershell and connect-partnercenter. Now we will use this to connect to one of our customers tenants. First we will use AZ module and connect-azaccount. We will use the AZ module and the\u2026","rel":"","context":"In "Azure"","block_context":{"text":"Azure","link":"https:\/\/www.vatland.no\/index.php\/category\/azure\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":914,"url":"https:\/\/www.vatland.no\/index.php\/csp-access-to-tenants-using-powershell-part-4\/","url_meta":{"origin":950,"position":2},"title":"CSP access to tenants using powershell. Part 4","author":"Atle","date":"September 24, 2019","format":false,"excerpt":"This is a small script that connects to partnercenter list all customers tenants and let you select one. When one is selected it connects to azuread and az for that customer. All my credentials are stored in SecretServer . I use a web service request to get those credentials. I\u2026","rel":"","context":"In "Azure"","block_context":{"text":"Azure","link":"https:\/\/www.vatland.no\/index.php\/category\/azure\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":975,"url":"https:\/\/www.vatland.no\/index.php\/log-tenants-from-office-365-to-local-db\/","url_meta":{"origin":950,"position":3},"title":"Log tenants from office 365 to local Db","author":"Atle","date":"January 3, 2021","format":false,"excerpt":"Hi, I like to keep control of how many licenses our cutomers use versus how many\u00a0 have been purchased. Here is 1st part\u00a0 my PS script to copy the info from csp to the DB. I will start creating a database and table to keep a list of all the\u2026","rel":"","context":"In "Azure"","block_context":{"text":"Azure","link":"https:\/\/www.vatland.no\/index.php\/category\/azure\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":934,"url":"https:\/\/www.vatland.no\/index.php\/simple-powershell-mru-list\/","url_meta":{"origin":950,"position":4},"title":"Simple Powershell MRU list","author":"Atle","date":"December 23, 2019","format":false,"excerpt":"When using using my secret server powershell functions I got tired of constantly searching for secret ID's. I had to do a new search just because I could not remember the ID's. So I added some kind of MRU to my get-secretID function. This code block creates to classes mruitem\u2026","rel":"","context":"In "Powershell"","block_context":{"text":"Powershell","link":"https:\/\/www.vatland.no\/index.php\/category\/powershell\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":902,"url":"https:\/\/www.vatland.no\/index.php\/csp-access-to-tenants-using-powershell-part-3\/","url_meta":{"origin":950,"position":5},"title":"CSP access to tenants using powershell. Part 3","author":"Atle","date":"September 23, 2019","format":false,"excerpt":"In this part 3 of CSP and powershell I will show how you can connect to azureAD of a customer tenant using your CSP app credentials and refreshtoken. This is almost the same procedure as we use to connect to az. We will start with the same variables as in\u2026","rel":"","context":"In "Azure"","block_context":{"text":"Azure","link":"https:\/\/www.vatland.no\/index.php\/category\/azure\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/posts\/950","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/comments?post=950"}],"version-history":[{"count":4,"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/posts\/950\/revisions"}],"predecessor-version":[{"id":954,"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/posts\/950\/revisions\/954"}],"wp:attachment":[{"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/media?parent=950"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/categories?post=950"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.vatland.no\/index.php\/wp-json\/wp\/v2\/tags?post=950"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}