cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

[[cat-users]] Set credentials by installer won't work under Windows 10 (1809)

From: Mattias Baake <mattias.baake AT ub.uni-osnabrueck.de>
To: cat-users AT lists.geant.org
Subject: [[cat-users]] Set credentials by installer won't work under Windows 10 (1809)
Date: Fri, 4 Oct 2019 13:58:24 +0200

Hi,

I have a problem setting the credentials automatically by the installer (and as deployment). If the creds would be set by the included "WLANSetEAPUserDatax64.exe" it don't work under Windows 10 (1809) - under Windows 7 its all fine. If I add the credentials manually it works, too.

I have decrypted the MSMUserData for manually and automatically set credentials and got the following result:

manually: MSMUserData contains the password as encrypted blob (need to be decrypted in a second step) - only the username is readable in this step (like under windows 7)
automatically: MSMUserData is much smaller than the manually one and the password is readably in this first step

The script I have used to decrypt the MSMUserData (Decrypt-MSMUserData):

param(
    [String]$Path = ".\eap.blob",
    [Switch]$EapExtractMode
)

function main() {
    Load-ProtectedDataApi
    cd C:\UB\
    whoami
    $b = gc $Path -Encoding Byte

    $datetime = (Get-Date -Format s) -replace ":","-"

    $bdec = [System.Security.Cryptography.ProtectedData]::Unprotect($b,$null,'Localmachine')
    [System.Environment]::CurrentDirectory = Get-Location
    [System.IO.File]::WriteAllBytes(('eap-dec-{0}.blob' -f $datetime), $bdec)

}

function Load-ProtectedDataApi() {
    try {
        $null = [System.Security.Cryptography.ProtectedData]
    } catch {
        Write-Verbose 'Adding assemly: System.Security'
        Add-Type -AssemblyName 'System.Security'
        $null = [System.Security.Cryptography.ProtectedData]
        $Error.Clear()
    }
}

function GetEAPBytes() {
    $RegBase = "Registry::HKEY_CURRENT_USER\Software\Microsoft\Wlansvc\UserData\Profiles"
    $profiles = @{}
    ls $RegBase | % -Begin {$i = 0} {$i++; $profiles[$i] = $_.Name; Write-host $("[{0:d2}] {1}" -f $i,$_.Name)}
    $choice = Read-Host -Prompt "Choice"
    $profile = "$profiles[[int]$choice]"
    $MSMUserData = (Get-ItemProperty -Path "Registry::$profile").MSMUserData
    return $MSMUserData
}

if (!$EapExtractMode) {
    main
    return
}
$eapBytes = GetEAPBytes
$datetime = (Get-Date -Format s) -replace ":","-"
[System.Environment]::CurrentDirectory = Get-Location
[System.IO.File]::WriteAllBytes(('eap-{0}.blob' -f $datetime), $eapBytes)

Call as User:

.\Decrypt-MSMUserData -EapExtractMode

Call from a console of user SYSTEM (created by psexec -s -i powershell.exe):

.\Decrypt-MSMUserData -Path eap-<DATETIME>.blob
# READ eap-dec-<DATETIME>.blob

Mit freundlichen Grüßen

Mattias Baake

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[[cat-users]] Set credentials by installer won't work under Windows 10 (1809), Mattias Baake, 10/04/2019
- Re: [[cat-users]] Set credentials by installer won't work under Windows 10 (1809), Tomasz Wolniewicz, 10/06/2019
  - Re: [[cat-users]] Set credentials by installer won't work under Windows 10 (1809), Martin Pauly, 10/06/2019
- Re: [[cat-users]] Set credentials by installer won't work under Windows 10 (1809), Tomasz Wolniewicz, 10/07/2019