Support for PKI and PKIPN Authentication

[pnewman364b]

Is your feature request related to a problem? Please describe. We make use of YubiKey authentication and would like to use that through our scripts that use psPAS.

Describe the solution you'd like The ability to authenticate using YubiKey(s).

Describe alternatives you've considered Using the CyberArk RestAPI and updating scripts to use some or none of the code developed using psPAS.

Additional context While we authenticate with YubiKey(s), it is only one part of our authentication. After authenticating through the YubiKey, the CyberArk logon page is configured then to ask for the end user's LDAP credentials.

[pspete]

Hi @pnewman364b - may have some time to start looking at this soon, can you provide some more context to better enable any development effort and configuration of the module's development environment?

• What authentication method is configured for an authenticating user in CyberArk? (Is it LDAP? or is it PKI? Other?)
• When logging into PVWA:
  • IIS Prompts for a certificate which is stored on the YubiKey?
  • When choosing PKI PVWA authentication, The username of the LDAP user is auto-populated from the certificate?

What behaviour do you see when attempting authentication using a command like, or similar to EXAMPLE 16 from the documentation? New-PASSession -Credential $cred -BaseURI https://PVWA -type LDAP -Certificate $Certificate Where $certificate references a certificate object enumerated from the YubiKey?

[pnewman364b]

Thank you for responding. Below are my responses.

• LDAP is configured for the users who have YubiKeys.
• Correct IIS prompts for the certificate.
• Correct the LDAP user is auto-populated.

As for the behavior when attempting to authenticate using the certificate method. Honestly had not tried it. When we use the YubiKey there is a PIN that has to be entered. Apologies for not initially including that info. Using the method you provided I am pretty sure I am not using -certificate correctly (not sure how the variable should be populated, tied the serial of the cert). Eventually I did try -certificatethumbprint and that got me a 403 error of not being authenticated.

[pspete]

Initial iteration of this functionality now in the codebase under development for the next release.

if you are able to test, there is a dev build available here

Also added this example, with which a certificate from a PIN protected YubiKey was able to be selected & used:

Add-Type -AssemblyName System.Security
# Get Valid Certs
$MyCerts = [System.Security.Cryptography.X509Certificates.X509Certificate2[]](Get-ChildItem Cert:\CurrentUser\My)
# Select Cert
$Cert = [System.Security.Cryptography.X509Certificates.X509Certificate2UI]::SelectFromCollection(
    $MyCerts,
    'Choose a certificate',
    'Choose a certificate',
    'SingleSelection'
) | select -First 1

New-PASSession -Credential $cred -BaseURI $url -type PKI -Certificate $Cert

All going well, will make it into the next release 👍

[pspete]

@pnewman364b - added this is the 5.4 release available via the usual channels now. Enjoy :)

[pnewman364b]

Thank you!

Paul, Newman Senior Systems Engineer (Security), Privileged Access Management (PAM)

@.***

480 Crosspoint Parkway, Getzville, NY 14068 Preferred Contact - Teams Direct – 716-253-1895 @.**@.> | centene.comhttp://www.centene.com/

Transforming the health of the community, one person at a time @. @. @.***

©2022 FORTUNE Media IP Limited. Used under license.

From: Pete Maan @.> Sent: Monday, September 26, 2022 4:34 PM To: pspete/psPAS @.> Cc: Paul M. Newman @.>; Mention @.> Subject: Re: [pspete/psPAS] Support for PKI and PKIPN Authentication (Issue #404)

Caution: External Email Do not click on links or open any attachments unless you recognize the sender and know the contents are safe. Think before you click!

---

@pnewman364bhttps://urldefense.com/v3/__https:/github.com/pnewman364b__;!!Js732Vmb!ocfVkiDkfHeJ8Gm8BeRPzTkaLSjZYKm0LvyqZpTiu1IaIv8_w5YkJSh5iU7iY77itmSJ5cDEcubWPLZdk32MOVo$ - added this is the 5.4 release available via the usual channels now. Enjoy :)

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/pspete/psPAS/issues/404*issuecomment-1258601800__;Iw!!Js732Vmb!ocfVkiDkfHeJ8Gm8BeRPzTkaLSjZYKm0LvyqZpTiu1IaIv8_w5YkJSh5iU7iY77itmSJ5cDEcubWPLZdTD505z8$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AZRO4EYBZ4U5ONZRI4XKHZ3WAICCTANCNFSM555NM3JA__;!!Js732Vmb!ocfVkiDkfHeJ8Gm8BeRPzTkaLSjZYKm0LvyqZpTiu1IaIv8_w5YkJSh5iU7iY77itmSJ5cDEcubWPLZd-WsKRqc$. You are receiving this because you were mentioned.Message ID: @.**@.>>

Confidential communication, unauthorized distribution prohibited.