Using Powershell with TSS - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Thursday, April 7, 2022

Using Powershell with TSS

Secret Server includes many pre-configured Password Changers that are utilized by the Remote password Change process, including PowerShell script.

Searching Secret Server in PowerShell

Secret Server webservices can be called using scripts. To authenticate and search for a secret in PowerShell, use the procedure below.

  1. Save the script below to a file, such as searchsecret.ps1.
  2. Change the script as needed to match your Secret Server and username/password/domain.
  3. Change the $searchterm to match your search.
  4. Open a command window (cmd.exe).
  5. Navigate to the same directory as searchsecret.ps1.
  6. Run the script by using .\searchsecret.ps1 OR powershell .\searchsecret.ps1.

$url = 'http://mysecretserver/webservices/sswebservice.asmx';
$username = 'myusername'
$password = 'mypassword'
$domain = 'mydomain'   # leave blank for local users
$searchterm = 'VPN'
$proxy = New-WebServiceProxy -uri $url -UseDefaultCredential
# get a token for further use by authenticating using username/password
$result1 = $proxy.Authenticate($username, $password, '', $domain)
if ($result1.Errors.length -gt 0){

$token = $result1.Token
# search secrets with our searchterm (authenticate by passing in our token)
Write-Host 'Searching for: ' $searchterm
$result2 = $proxy.SearchSecrets($token, $searchterm,$null,$null)
if ($result2.Errors.length -gt 0){
Write-Host 'Got search results: ' $result2.SecretSummaries.length
# If you want the data as XML
# $xml = convertto-xml $result2.SecretSummaries -As string -Depth 20
# $xml
$result2.SecretSummaries | ForEach-Object { Write-Host 'SecretId:' $_.SecretId '  Name:' $_.SecretName  ' FolderId:' $_.FolderId }
# if ($result2.SecretSummaries.length -gt 0) {
# $result2.SecretSummaries[0]
# }

Using Secret Fields in Scripts

Secret Server supports using PowerShell, SSH, and SQL scripts as dependencies on a secret. These scripts can use information on the secret through the field name prepended with a $. For example, $DOMAIN$PASSWORD, or $USERNAME. Linked secrets are accessible by $[1]$FIELDNAME for the first linked secret, $[2]$FIELDNAME for the second, and so on.

There are two contexts in which script dependencies run:

For a complete list of tokens that are available to script dependencies, see List of Dependency Tokens.

Create a New Dependency Changer

From Delinea Documentation: 

Create a New Dependency Changer for Synchronizing Passwords During RPC

Replace $url with the name of the machine hosting your Secret Server instance.

$url = 'http://MySecretServerURL/webservices/sswebservice.asmx';
$username = $Args[0]
$password = $Args[1]
$newpassword = $Args[2]
$secretIdArray = $Args[3]
$domain = $Args[4]
$proxy = New-WebServiceProxy -uri $url -UseDefaultCredential
$result1 = $proxy.Authenticate($username, $password, '', $domain)
if ($result1.Errors.length -gt 0){
    $errors = $result1.Errors[0]
    Write-Debug "Errors result1: $errors"
} else {
    $token = $result1.Token
$secretIds = $secretIdArray -split ","
foreach($secretId in $secretIds){
    $result2 = $proxy.GetSecret($token, $secretId, $false, $null)
    if ($result2.Errors.length -gt 0){
        $errors = $result2.Errors[0]
        Write-Debug "Errors result2: $errors" 
    } else {
        $secretName = $result2.Secret.Name
        Write-Debug "Updating Secret: $secretName"
        foreach ($item in $result2.Secret.Items) {
            if($item.IsPassword) {
                $item.Value = $newpassword
        $secret = $result2.Secret
        $result3 = $proxy.UpdateSecret($token, $secret)
        if ($result3.Errors.length -gt 0) {
        $errors = $result3.Errors[0]
            Write-Debug "Errors result3: $errors" 
        } else {
            Write-Debug "Updated Secret: $secretName"


No comments:

Post a Comment