Does Power Shell not like UPN authentication?

Moving to “E-mail” based login is all the rage. Recently a large customer wanted to use the E-Mail as the login. A new User Principal Name (UPN) suffix was created so a UPN suffix that did not match the domain and the left hand side did not match the sAMAccount Name. No big deal, things worked fine… right up until we needed to have the end user enter their credentials into an automation script. I’ll explain “why” in another post, for now, it just “had to happen”. Then we found a problem: get-credential didn’t work so well for us. Or maybe I should say that start-process would not start a process with the UPN credentials.

Let’s start with some very simple PowerShell code:

$creds = Get-CredentialStart-Process -Credential $creds -FilePath notepad.exe -WorkingDirectory c:\temp

Try this on your machine using your UPN and you will see:

Start-Process : This command cannot be run due to the error: Logon failure: unknown user name or bad password.
At C:\Scripts\test6.ps1:2 char:1
+ Start-Process -Credential $creds -FilePath notepad.exe -WorkingDirectory c:\temp+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOperationException+ FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand

Try it again with domain\user and you will see a notepad window appear.

But I really REALLY needed the und user to put in those credentials. This is in a migration and the credentials I needed to have were the target credentials to support the ability to cache and preserve the credentials during the workstation migration (more on that in a later blog post as well).

Someone, in some post, somewhere, said that the .Net process command could authenticate with UPN (if I find the reference, I will add the link). Being a C# coder, I decided to give that a whirl. Yes, you can do .Net in PowerShell, but I knew I would need help, and Visual Studio 2017 does a much better job of getting me help than ISE or my copy of Saipen PowerShell Studio 2019.

I read a lot of google posts, and after a bit of work, came up with this code to do the job. You can see I barrowed the shell of this from Microsoft:

private void goButton_Click(object sender, EventArgs e)

{

try

{

using (Process myProcess = new Process())

{

myProcess.StartInfo.UseShellExecute = false;

// You can start any process

myProcess.StartInfo.FileName = “C:\\windows\\system32\\notepad.exe”;

myProcess.StartInfo.CreateNoWindow = true;

myProcess.StartInfo.UserName = upnTB.Text;

String myPassword = passwordTB.Text;

SecureString securePwd = new SecureString();

//char[*] val;

for (int i = 0; i < myPassword.Length; i++)

{

char key = myPassword[i];

securePwd.AppendChar(key);

}

myProcess.StartInfo.Password = securePwd;

String tempPath = @”c:\Temp”; //Path.GetTempPath();

myProcess.StartInfo.WorkingDirectory = tempPath;

myProcess.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;

myProcess.Start();

}

}

catch (Exception ex)

{

Console.WriteLine(ex.Message);

string m = “Error on user/password: ” + ex.Message;

MessageBox.Show(m);

}

}

The result? Success! This takes my user and password from my dialog, feeds them to the Process, and even using UPN, it runs notepad in the background, and caches the credentials that I need caching.