Secret Server includes many pre-configured Password Changers that are utilized by the Remote password Change process, including PowerShell script.
Searching Secret Server in PowerShell
Secret Server webservices can be called using scripts. To authenticate and search for a secret in PowerShell, use the procedure below.
- Save the script below to a file, such as searchsecret.ps1.
- Change the script as needed to match your Secret Server and username/password/domain.
- Change the
$searchterm
to match your search. - Open a command window (cmd.exe).
- Navigate to the same directory as
searchsecret.ps1
. - Run the script by using
.\searchsecret.ps1
ORpowershell .\searchsecret.ps1
.
$url = 'http://mysecretserver/webservices/sswebservice.asmx';
$username = 'myusername'
$password = 'mypassword'
$domain = 'mydomain' # leave blank for local users
$searchterm = 'VPN'
$proxy = New-WebServiceProxy -uri $url -UseDefaultCredential
# get a token for further use by authenticating using username/password
$result1 = $proxy.Authenticate($username, $password, '', $domain)
if ($result1.Errors.length -gt 0){
$result1.Errors[0]
exit
}
else
{
$token = $result1.Token
}
# search secrets with our searchterm (authenticate by passing in our token)
Write-Host 'Searching for: ' $searchterm
$result2 = $proxy.SearchSecrets($token, $searchterm,$null,$null)
if ($result2.Errors.length -gt 0){
$result2.Errors[0]
}
else
{
Write-Host 'Got search results: ' $result2.SecretSummaries.length
# If you want the data as XML
# $xml = convertto-xml $result2.SecretSummaries -As string -Depth 20
# $xml
$result2.SecretSummaries | ForEach-Object { Write-Host 'SecretId:' $_.SecretId ' Name:' $_.SecretName ' FolderId:' $_.FolderId }
# if ($result2.SecretSummaries.length -gt 0) {
# $result2.SecretSummaries[0]
# }
}
Using Secret Fields in Scripts
Secret Server supports using PowerShell, SSH, and SQL scripts as dependencies on a secret. These scripts can use information on the secret through the field name prepended with a $
. For example, $DOMAIN
, $PASSWORD
, or $USERNAME
. Linked secrets are accessible by $[1]$FIELDNAME
for the first linked secret, $[2]$FIELDNAME
for the second, and so on.
There are two contexts in which script dependencies run:
- As part of the RPC process. See Password Changing Scripts.
- When run manually from the Dependencies tab on the secret.
For a complete list of tokens that are available to script dependencies, see List of Dependency Tokens.
Create a New Dependency Changer
From Delinea Documentation:
Create a New Dependency Changer for Synchronizing Passwords During RPC
Replace $url
with the name of the machine hosting your Secret Server instance.
$url = 'http://MySecretServerURL/webservices/sswebservice.asmx';
$username = $Args[0]
$password = $Args[1]
$newpassword = $Args[2]
$secretIdArray = $Args[3]
$domain = $Args[4]
$proxy = New-WebServiceProxy -uri $url -UseDefaultCredential
$result1 = $proxy.Authenticate($username, $password, '', $domain)
if ($result1.Errors.length -gt 0){
$errors = $result1.Errors[0]
Write-Debug "Errors result1: $errors"
exit
} else {
$token = $result1.Token
}
$secretIds = $secretIdArray -split ","
foreach($secretId in $secretIds){
$result2 = $proxy.GetSecret($token, $secretId, $false, $null)
if ($result2.Errors.length -gt 0){
$errors = $result2.Errors[0]
Write-Debug "Errors result2: $errors"
} else {
$secretName = $result2.Secret.Name
Write-Debug "Updating Secret: $secretName"
foreach ($item in $result2.Secret.Items) {
if($item.IsPassword) {
$item.Value = $newpassword
}
}
$secret = $result2.Secret
$result3 = $proxy.UpdateSecret($token, $secret)
if ($result3.Errors.length -gt 0) {
$errors = $result3.Errors[0]
Write-Debug "Errors result3: $errors"
} else {
Write-Debug "Updated Secret: $secretName"
}
}
}
References
- Searching Secret Server in PowerShell
- Create a New Dependency Changer for Synchronizing Passwords During RPC
No comments:
Post a Comment