SharePoint 2016/2013/Online - How To Apply Password Encryption For Component As Service Using PowerShell

Recently, I have developed a couple of PowerShell based components that will serve as data crawlers for federated data sources, like External Web Services, SQL Server Databases, and Excel Workbooks & SharePoint Lists.

In order to authenticate the Service Accounts against all of these sources, I had no choice but to embed the Usernames and Passwords within the PowerShell code in plain text. It gets even worse when a few of the Web Services could support only “Basic Authentication”.

Saving passwords in plain text to code files could lead us to the compliance issues and could get the solutions rejected eventually. In order to fix this issue, I have implemented a couple of mechanisms to deal with each type of authentication requirements.

In this article, I will discuss the mechanism to authenticate the requests to SharePoint Lists.

In order to simplify this demo, let’s consider a simple scenario where I am having a list “MyLocations” as shown below and I need to export its metadata using a PowerShell based component.

1

To keep the content crisp, I will walk you through the specific section of the code skipping all the CSOM specific code which you can refer to my earlier articles if you like.

I have intentionally divided this implementation into two separate code files in order to keep the passwords safe from the developers. The intention here is to get the Encryption File generated by SharePoint Admins and provide these files to developers so that they can use it in code directly as shown below.

In the following code snippet, you can see the commands to encrypt the password “12345678” and export it to a text file “BANSALP.txt”.

2

This file would look like below.

34

This way, you can store the passwords for all the required service accounts in different text files without violating Security Compliance.

Now, in order to pass this encrypted password to SharePoint for authentication, we can make use of “System.Management.Automation.PSCredential” Class, as shown below.

Here, “Get-Content” commandlet is used to read the content from “BANSALP.txt” file and “ConvertTo-SecureString” commandlet is to get the encrypted password as a secure string.

5

Once the credential object has been created, we can assign this credential object to SharePoint Client Context “Credentials” Property.

6

With this Client Context, SharePoint Authenticates the incoming request based on the ACL of the requestor. Following is the outcome of the call that we have sent to SharePoint.

7

I have exported the metadata to a CSV file as well that would look like this.

8

Hope you find it helpful.

Similar Articles