Securing custom web service OTP PM5.9.5

We are using 1IM to generate a passcode for a new user which will be then published in Password Manager i.e.
https://PMTest.domain.local/PMUser/ws/setpasscode?user=[sAMAccountName]&domain=[ADDomain]&passcode=5yth567x

This works fine and the user in question could use the OTP.

The account which is used to authenticate to the password manager executing the Web-Service can be “standard end-user” who is not member of the Helpdesk group and the new passcode would be assigned properly.

Anyone a clue how to secure the web-call in a way that only members of the Password Manager Helpdesk group are allowed to perform this action?

  • When turning on the option in the web service for "This web service requires authentication" this causes IIS to authenticate the user and to pass along the user name to the web service PowerShell code. IIS is simply going to verify that the username and password that are presented in the web request are valid credentials in AD and then pass the web request over to the web service code. It will then be up to the web service code to perform any additional validations / verifications on the authenticated user. One of these checks could be to see if the requesting user is a member of a group.

    To get the username from the web request you can use this in your web service code: $User = $Request.Username

    The username will be in the format of 'DomainNetBIOS\Username'

    From here, the web service code could load the ActiveDirectory PowerShell module, or if you have Active Roles the ActiveRolesManagementShell, to check the user's group membership.

  • Thanks Richard, maybe this was the missing piece. Maybe worse to consider updating the SDK documentation on this?