I am a bit at a loss here. I have installed the Microsoft.PowerShell.SecretStore on one of our servers an set up vaults for different accounts. The password for unlocking the vaut is saved in an xml file, which I created using “Export-Clixml”. To unlock the vault, I simply get the password from the xml file via “Import-CliXml”. For my admin account that works perfectly fine.
Now I have set up a second vault on the same server for a different account and again saved the password in an XML file in the same fashion as before. But for some reason that I do not understand unlocking does not work here.
I write the following script to check whether or not unlocking the vault works.
$userName = 't1_service'
write-host "1:" $userName
# Path to a file, where the password will be stored.
$PathToFile = 'D:PowershellVault' + $userName + '.xml'
write-host "2:"$PathToFile
# Safe Password in file
$credential = Get-Credential -UserName $userName -Message 'Enter Password'
write-host "3:"$credential
# Safe password to file.
$credential.Password | Export-Clixml -Path $PathToFile
try{
# Read Password from file
$password = Import-CliXml -Path $PathToFile
write-host "4:"$password
}
catch{
# catch errors
"An error occurred:"
$_
$err=$true
write-host "5:" $_
}
if(!$err){
write-host "6: Unlock-SecretStore"
Unlock-SecretStore -Password $password
}
Running the script on my server with the correct account gives me the
PS D:Powershell> .TEST.ps1
1: t1_service
2: D:PowershellVaultt1_service.xml
3: System.Management.Automation.PSCredential
4: System.Security.SecureString
6: Unlock-SecretStore
Unlock-SecretStore : Store file integrity check failed.
The provided password may be invalid, or store files have become corrupted or have been tampered with.
In D:PowershellTEST.ps1:32 Zeichen:2
+ Unlock-SecretStore -Password $password
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Unlock-SecretStore], PSInvalidOperationException
+ FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.SecretStore.UnlockSecretStoreCommand
whereas when I simply enter Unlock-SecretStore in the powershell console an enter the password for the vault, it unlocks just fine.
When I try to convert the password from plaintext to a securestring via
$p = ConvertTo-SecureString "SuperDuperSecretPassword" -AsPlainText -Force and the try to unlock the vault via Unlock-SecretStore -Password $p that also fails with the same error message.
Could someone please help me where I taking a wrong turn?
4
I replaced
# Safe Password in file
$credential = Get-Credential -UserName $userName -Message 'Enter Password'
write-host "3:"$credential
# Safe password to file.
$credential.Password | Export-Clixml -Path $PathToFile
with
# Safe Password in file
$credential = Read-Host -AsSecureString
write-host "3:"$credential
# Safe password to file.
$credential | Export-Clixml -Path $PathToFile
and now it works.
So for some reason the get-credentials seems to be the problem. Don’t know why though.
1