Add Windows Credentials using PowerShell & cmdkey

Question

I am trying to use credentials from some UI prompted to add Windows credentials using cmdkey:

$sessionCredential = $host.ui.PromptForCredential("Need credentials", "Please enter your user name and password.", "", "Server Crdentials")
$ps = ConvertFrom-SecureString -SecureString $sessionCredential.password
cmdkey.exe /add:server1 /user:$($sessionCredential.UserName) /pass:$($ps)

The credentials are added correctly, but the password is not.

What can I do?

Are you sure the password is not correct? The Credentials manager GUI never shows the correct number of digits there, so it just might _look_ as though this is wrong.. — Theo, Apr 28 '21 at 15:45
yes, i manually edit the passwords on the credentials UI to check and the passwords is wrong — galsi, Apr 29 '21 at 05:24
The fourth parameter to [PromptForCredential()](https://docs.microsoft.com/en-us/dotnet/api/system.management.automation.host.pshostuserinterface.promptforcredential) (*targetName* - *"Name of the target for which the credential is being collected."*) *seems* to be ***[misspelt](https://en.wiktionary.org/wiki/credential#Noun):*** *"`Server Crdentials`"*. It *seems* to be significant, not just an informational message. Is it significant? — Peter Mortensen, Apr 29 '22 at 18:11

score 1 · Answer 1 · edited Apr 29 '22 at 18:00

Use the CredentialManager PowerShell module. It saves the password in the same place as cmdkey, but it can take PSCredential objects directly without needing to convert to text.

Import-Module CredentialManager

# Get the credential from the user with a windows credentials prompt:
$SessionCredential = Get-Credential -Message 'Please enter your server credentials'

# Save the credential object directly without unwrapping it:
New-StoredCredential -Credentials $SessionCredential -Target ServerCredentials -Persist Enterprise `
  -Comment "Server Credentials for $($SessionCredential.UserName)" > $null

# Open the credential later
$SavedCred = Get-StoredCredential -Target ServerCredentials

# Delete if needed
Remove-StoredCredential -Target ServerCredentials

cmdkey /pass:$($ps) is prone to errors due to PowerShell garbling password characters.

i cannot add module to the client machine where this script is running , sorry — galsi, Apr 29 '21 at 05:22

score 1 · Accepted Answer · edited Apr 29 '22 at 18:02

1

Apparently, the problem is ConvertFrom-SecureString is returning an encrypted standard string, ConvertFrom-SecureString.

And the option to get plain text is not available on PowerShell 5.1.

I found the correct convert here.

I understand it is not secured. It is used inside secured clients.

See fixed code below:

$sessionCredential = $host.ui.PromptForCredential("Need credentials", "Please enter your user name and password.", "", "Server Crdentials")
$mpass = [System.Net.NetworkCredential]::new("",$sessionCredential.password).Password
cmdkey.exe /add:server1 /user:$($sessionCredential.UserName) /pass:$($mpass)

edited Apr 29 '22 at 18:02

Peter Mortensen

30,030
21
100
124

answered Apr 29 '21 at 05:32

galsi

261
4
14

1

It is still *"Server Crdentials"*. – Peter Mortensen Apr 29 '22 at 18:14
@PeterMortensen That 4th arg is the Domain Name. In my case I wanted to use this for web not Windows, so I called it "FAKEDOMAIN" and then instead of the cmdkey line I did `$user=$sessionCredential.UserName.Replace("FAKEDOMAIN\","")` – CrazyPyro May 15 '22 at 15:27

score 0 · Answer 3 · edited Apr 29 '22 at 18:03

0

Cpt.Whale's answer worked like a charm. The only caveat was the need to copy/distribute the CredentialManager module before using it.

edited Apr 29 '22 at 18:03

Peter Mortensen

30,030
21
100
124

answered Mar 11 '22 at 22:37

Diogo Catossi

1

1

The mentioned answer can be improved by editing it or leaving a comment on it, so that users have the complete solution there. – marcioggs Mar 12 '22 at 12:40
1

This does not provide an answer to the question. Once you have sufficient [reputation](https://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](https://stackoverflow.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/31269912) – ryanwebjackson Mar 15 '22 at 03:31
Related: *[Why do I need 50 reputation to comment? What can I do instead?](https://meta.stackexchange.com/questions/214173/)*. – Peter Mortensen Apr 29 '22 at 18:04

Add Windows Credentials using PowerShell & cmdkey

3 Answers3