Mordecai
-
Posts
111 -
Joined
-
Last visited
-
Days Won
3
Posts posted by Mordecai
-
-
Hi @Santa
is the url in your example correct? "DocumentName=<DocumentName>" will not work:-> $uri = "https://passwordstate/api/document/password/210?DocumentName=SomeName&DocumentDescription=SomeDescription"
you could try the Passwordstate-Management PowerShell module (or check the source code).There exists a function called New-PasswordstateDocument, this should fit your usecase.
Module: PowerShell Gallery | passwordstate-management 4.4.48
Example:New-PasswordStateDocument -ID 210 -resourcetype Password -DocumentName VeryImportantScript.ps1 -DocumentDescription "very important powershell script" -Path .\Find-Item.ps1 DocumentID DocumentName ---------- ------------ 186 VeryImportantScript.ps1
Result:
-
11 hours ago, support said:
Hello Rene,
Thanks for making the URL available. Below is some feedback for that URL, and the one above with the Gifyu link.
Provided URL
The Username field (ID tag) for this URL is dynamic, which means it changes every time you visit the site. There are no guarantees that we can fill dynamic fields like this. Instead, if you configure the "UserName Field ID" on the password record to use Username (case sensitive), then this will work. We also look for the "name" tag, or the "class" tag as the last attempt - and all three of these tags need to be unique on the page.
Keycloak URLTo explain how the form filling works with our extensions, if you leave the Username and Password field IDs blank on your password record, our extensions try to find the appropriate fields and form fill them automatically. The behaviour in your Gifyu link is caused by the Username Field ID on your password record being blank, but then you are mapping the generic field to this same field on the web site.
To make this work, do not use the Generic Field, and instead store the email address in Username field.
RegardsClick Studios
Hi Support,thanks for your quick help and support.
Provided URL
I now have "Username" (case sensitive) as the value at the URL for the "Username Field ID" under "Link Account to Multiple Web Site URLs", the browser extension is resynchronized, but the username is still not filled in, only the password. Same with a colleague. Of course I understand the problem with the dynamic fields, I just wonder why it works with other providers. This is not meant to be a criticism, I'm honestly just wondering how they have solved it (e.g. Bitwarden or KeePass with AutoType).
Keycloak URL
Ok, thanks for the clarification. Can you implement the possibility to enter a value from a generic field into the username or password form fields even without a stored username/password field ID?
Background: We have Active Directory users where we have to log in with one user on many websites. Most websites allow the samAccountName AND the UserPrincipalName in their configuration for the username on login.On some, however, only either the SAMAccountName OR the UPN is possible and you have to specify this explicitly on these websites. On another site, the mail attribute of the AD user is used as the username.
So we would have to enter several password entries in Passwordstate for the same user, with the same password but different usernames and update them all on every password change. Although it is virtually the same user.
This was the reason why we would like to write a GenericField "UPN" and a GenericField "Mail" with the corresponding values automatically via mapping into the username field on certain pages.
Thanks,René
-
On 11/5/2023 at 9:35 PM, support said:
Hi Rene,
Thanks, but it does not look like the URL is publicly accessible - it times out with the error of "ERR_CONNECTION_TIMED_OUT".
We are located in Australia - could that possibly be the issue?
RegardsClick Studios
Can you please test it again? Geo blocking for Australia has been temporarily deactivated.
-
Ok, i have send you a private message with one url (corporate one) that is public available.
My collegues and me have another problem for a few versions (we guess) at least in edge.
If we are mapping fields for the username/password/otp website field to custom genericfield values or OTP field, the autofill is working but will be instantly overwritten by the default value.I have made a gif and two screenshots for this example. We are on the latest version. This happens on any website.
In my example i have mapped the "Mail Address" generic field to the username website field and the default password field to the website password field.
After pressing auto fill, the mail address and password successfully get inserted but will be overwritten by the default username field.
It does not matter whether you add the URL + field mapping via "Multiple Website URLs" or as a single URL + mapping to the password entry. Auto Fill in the extension is disabled.Please also check the gif on the following link to see the problem. It is too big to upload here in the forum: passwordstate extension - Gifyu
Thanks, René
-
On 10/26/2023 at 10:55 PM, support said:
Hello Rene,
Could you please provide us with a list of Web Site URLs that are not working for you, and we will do some testing?
With the web sites were the ID's change, these are quite difficult to work around, and we have to be very careful about not form filling the wrong input elements - but we will do some testing regardless.
Thanks
Click Studios
Unfortunately I can't provide you with URLs to the websites, because 99% of them are internal websites or products that are only available internally.
My above example is from the OTRS 8 software, a ticketing and itsm tool we are using: Service management solution. Flexible & customizable | OTRS
If we use f.e. KeePass, BitWarden, 1Password or other tools with AutoType and/or Browser extensions, the auto fill is working on these sites. I suspect that in that case they ignore the ID field and use Name, Type or Class.
René -
-
HI @support
We have updated to build V9.8 (Build 9823) and a few collegues are also using browser extension version 9824 (should be the latest in, at least, chrome/edge store).
The issue still exists in our environment on a few sites. On most sites it is working fine.
However, a few weeks ago it worked on the pages that do not work today.One site has a random field id for the username field. Could this lead to a problem?
HTML for Username and Password field:<input id="formInput-209461b0-73ee-11ee-838a-3de2c564c20e" name="Username" type="text" placeholder="User name*" autocomplete="username" class="Form__Input form-control" aria-label="Username"> <input id="formInput-20952501-73ee-11ee-838a-3de2c564c20e" name="Password" type="password" placeholder="Password*" autocomplete="off" class="Form__Input form-control" allow-pasting="true">
If you reload the page, the id changes. So we cannot map the field using the browser extension "Map fields" feature.
(url redacted)
If we leave the mapping of both fields empty, the password field will successfully be inserted using auto fill, but not the username.So the problem cannot be related to the id field, since the auto fill of the password field is working.
Any ideas?
Thanks,
René -
hi @support
for some of our automation use cases, we need the ability to dynamically create password lists. But we don't want to make the System Wide API Key generally known to so many people for this.
Can you integrate a way to allow password lists to be created without System Wide API Keys? e.g. by using an API Key on an existing folder?
So you would only have to create a folder for the colleagues, assign an API Key on this folder and with this API Key the employees can create as many password lists in this folder only as they want.
Thanks,
René -
+1
Any news on this topic?
-
-
-
@mc.gyver.reboot Just connect to your passwordstate database and delete them from the BadPasswords table. You cannot delete them from the web gui (perhaps that could be a feature request :)).
Delete all entries in BadPasswords table:
Delete from BadPasswords
-
@support
thanks for your reply. I am running v9 at the latest build. Just found this thread with the same error message.Should i open a ticket (with added Support Information Script result)?
Thanks,
René
-
Hi @Emil Gullbrandsson @support,
Edit: @support Ok, we have found the problem. In one specific OU a computer object exists with Operating System "NetApp Release 9.9.1P10" and perhaps a few custom attributes since it is a non windows device. I think this should be a bug, since this computer object should not get discovered and should not crash the discovery job. (NetApp xx is not part of your operatingSytem list)
We are currently getting the same error message for a new Active Directory domain. For some other domains the host discovery jobs work without any problems for years now.
Were you able to solve the problem or do you have a hint for us what could be the reason? Any other jobs in this domain are working (Password Heartbeat/Reset, User/Security Group Import etc.).
On some Computer Objects the Operating System field is empty. Could it be related to this empty OS field on the AD computer object?
OUs are correct.
The Method in your script will search for given OS from discovery job.
-> PasswordstateService.PasswordstateService.DiscoverHosts(String FQDN, String OU, String RecurseChildOUs, String OperatingSystems, String LastLogonDate, String PrivilegedAccountUserName, String PrivilegedAccountPassword, Boolean LDAP)Edit2:
Here are the object information of the computer object on which Passwordstate throws the error (using the [System.DirectoryServices.DirectorySearcher] class).Name Value ---- ----- logoncount {690} codepage {0} objectcategory {CN=Computer,CN=Schema,CN=Configuration,DC=xx,DC=domain,DC=com} iscriticalsystemobject {False} operatingsystem {NetApp Release 9.9.1P10} usnchanged {2100058} instancetype {4} name {host-name} badpasswordtime {0} pwdlastset {133219773656645289} serviceprincipalname {HOST/host-name.xx.domain.com, HOST/HOST-NAME} objectclass {top, person, organizationalPerson, user...} badpwdcount {0} samaccounttype {805306369} lastlogontimestamp {133264206811903765} usncreated {1769671} objectguid {145 HIDDEN} localpolicyflags {0} whencreated {27.02.2023 12:50:46} adspath {LDAP://CN=HOST-NAME,CN=Computers,DC=xx,DC=domain,DC=com} useraccountcontrol {4096} cn {HOST-NAME} countrycode {0} primarygroupid {515} whenchanged {19.04.2023 23:31:21} dnshostname {HOST-NAME.XX.DOMAIN.COM} dscorepropagationdata {01.01.1601 00:00:00} lastlogon {133268950003840410} distinguishedname {CN=HOST-NAME,CN=Computers,DC=xx,DC=domain,DC=com} msds-supportedencryptiontypes {6} samaccountname {HOST-NAME$} objectsid {1 5 0 0 0 0 0 5 21 0 0 0 14 175 155 174 105 HIDDEN} lastlogoff {0} accountexpires {9223372036854775807}
Thanks,
René -
Hi @support,
in other password managers (f.e. keepass) it is possible to use an additional username instead of the original username inside one password record.
Example:
Username: surname.lastnameAdditional Username: surename.lastname@domain.com
Additional Username: domain\surename.lastname
Currently i need to add two (or more) password records inside passwordstate with different usernames and the same password to use different usernames on different websites (using the browser extension) for the same account.
On some sites, if using Active Directory integrated authentication, sometimes the domain name must be applied in the username field during logon.
Alternatively to this suggestion, another possible integration would be to automatically append the domain and offer it as an option in the browser extension (for accounts that are assigned to a domain in Passwordstate) or in the passwordstate website (Copy Username, Copy Username with Domain etc.).
Thanks,
René -
-
Hi @support,
Windows Server 2022 (+Datacenter) should be supported as Guest OS for hosts. Currently it is not selectable.
Thanks,René
-
Hi @David Tawater
I am one of the people contributing to the development of the Passwordstate-Management powershell module.
As far as I know, there is currently no method to perform a health check.
We are using the Passwordstate-Management module in all of our pipelines.
Currently, as a workaround, we are using the sarchpasswords api method with a "static" password list + password entry named "APITest".
This test entry will never get deleted and we are using it to test if the API is reachable and if we are getting correct answers.
But we cannot test if any API Key is correct, only the one specified for these test list. (You could als create a test entry in each list but I don't know if it's worth the effort.)
When using the searchpasswords method, you can also add the PreventAuditing option.
You can of course, also use another search parameter instead of the title.
https://passwordstate.localdomain/api/searchpasswords/1?Title=apitest&PreventAuditing=true (or with the module) Get-PasswordStatepassword -Title apitest -PasswordListID 1 -PreventAuditing -Verbose
-
@GeoffO
We have internally build a workaround for this using the api as already mentioned by @Buckit. We are using Microsoft SCCM/MECM for deploying our windows servers. During OS Installation we connect to PasswordState, create the hosts entry based on data generated from the hosts system information and then create new local administrator accounts in passwordstate and adding this newly created host to these passwords. Also the newly created accounts in passwordstate will be used to create these accounts locally during os deployment.
We also check if the host already exists. (e.g. for a new installation of a server). Then the host is first deleted and then created again.
I have pulled out a small part of the scripts, maybe this helps you. The following few lines create a new PasswordState host based on some system information which is read automatically (The generation of the hostname or the primary IP address may not fit in your environment, but then you can simply adapt it for you). Tested with Windows Server 2016/2019.
QuoteNote: I use the Powershell module "PasswordState-Management" for this, as I am also one of the co-authors for it.
# Passwordstate Host URL $PasswordManagerURL = 'https://passwordstate.local' # Hosts Api Key found in the administration area - system settings - api $HostsApiKey = '' # Import needed powershell module Import-Module PasswordState-Management # Set Environment for Hosts Creation Set-PasswordStateEnvironment -Uri $PasswordManagerURL -Apikey $HostsApiKey # Collect System Data $HostsData = @{ HostName = [System.Net.DNS]::GetHostByAddress(([System.Net.DNS]::GetHostAddresses([System.Environment]::MachineName) | Where-Object { $_.AddressFamily -eq "InterNetwork" } | Select-Object IPAddressToString)[0].IPAddressToString).HostName.ToLower() HostType = "Windows" OperatingSystem = (Get-CimInstance win32_operatingsystem).Caption.replace('Microsoft ', '') RemoteConnectionType = "RDP" RemoteConnectionPortNumber = 3389 Tag = "<insert your tag for adding new host to folder here>" #Title = [System.Net.DNS]::GetHostByAddress(([System.Net.DNS]::GetHostAddresses([System.Environment]::MachineName) | Where-Object { $_.AddressFamily -eq "InterNetwork" } | Select-Object IPAddressToString)[0].IPAddressToString).HostName.ToLower() Title = [System.Environment]::MachineName.ToLower() SiteID = 0 InternalIP = ([System.Net.DNS]::GetHostAddresses([System.Environment]::MachineName) | Where-Object { $_.AddressFamily -eq "InterNetwork" } | Select-Object IPAddressToString)[0].IPAddressToString MacAddress = (Get-CimInstance win32_networkadapterconfiguration | Where-Object { $_.DefaultIPGateway -ne $null })[0].macaddress Notes = "Created: $('{0:yyyy-MM-dd HH:mm:ss}' -f (Get-Date))" SessionRecording = $false VirtualMachine = $true VirtualMachineType = "VMware" } # Create Host based on given system data $PasswordStateHost = New-PasswordStateHost @HostsData
-
+1 in German
-
+1 A Scheduled Outage Notification would be really helpful (In addition to a banner). Perhaps via the already existing "Send Outage Notification" + a Schedule (f.e. Every Month on Third Thursday ...) or via API, then you can schedule it from your monitoring or any other system via API.
-
-
Hi @support
The title is perhaps a little bit misleading, but in our environment the name "Google Authenticator" or "HOTP"/"TOTP" confuses a lot of our employees. Here an example of the login screen:
(I have also another open feature request about the customization of the 2FA part, see here)
It would be really, really helpful for us if you could set in the Authentication Options (or elsewhere) configuration what to call these 2FA verification titles.
You can use any of the 2FA apps available in the market and you do not need to use "Google Authenticator". You could use OTP Auth for IPhone, Microsoft Authenticator, Fortinet Authenticator or any other app to use it with PasswordState.
So this confuses a lot of employees that they should install another app for two factor verification.
So, my question, can we add a configuration option for changing the name of "Google Authenticator" (Also HOTP/TOTP) and "Google verification" to a customized name? (Default will be Google) Or just the word "Google"?
Or can you already customize it somewhere in the database?Thanks,
René
-
@support
+1
It would really nice if, as admin in passwordstate, you could change the options that you could use in the remotepspark html5 launcher (http://www.remotespark.com/html5.html).
At the RemoteSpark Demo page (http://www.remotespark.com/view/rdp.html) under the Advanced Tab, you can change the options.If you could somehow set these options in the PasswordState Administration Menu or in the gateway.conf and activate them separately (Disabled by default), would be great.
Host Folders via API
in Community Support
Posted
@support This is really great news! Are there any other changes to the API? We should also update the password state management module if there are breaking changes (possibly in advance if there is a beta program?)