Enterprise IT Identity & Access Management : 6. SampleCode

Sample Code (VBScript) - Retrieve MIIS WMI Password History

Yale Li — Tue, 11 Apr 2006 00:00:00 GMT

This is a sample WMI script to retrieve password change history for a specific account through MIIS. You just need to run it on MIIS server with MA name, domain name and account name as parameters.

Option Explicit

On Error Resume Next

Dim Service
Dim CsObjects
Dim CsObject
Dim Arguments
Dim domainName
Dim ma
Dim account
Dim MVGuid
Dim password
Dim oldPassword
Dim r

Set Arguments = WScript.Arguments.Named

domainName = Arguments.Item("D")
account = Arguments.Item("A")
ma = Arguments.Item("M")

Set Service = GetObject("winmgmts:root\MicrosoftIdentityIntegrationServer")
Set CsObjects = Service.ExecQuery("Select * from MIIS_CSObject where domain='" + domainName + "' and account='" + account + "'")

For each CsObject in CsObjects
MVGuid = CsObject.MVGuid
Next

Set CsObjects = Service.ExecQuery("Select * from MIIS_CSObject where mvguid='" + MVGuid + "'")

For each CsObject in CsObjects
if LCase(CsObject.MAName) = LCase(ma) then
wscript.echo "Retrieving MIIS WMI Password History ..."
wscript.Echo CsObject.PasswordChangeHistory
end if
Next

Sub ErrorHandler (ErrorMessage)
WScript.Echo ErrorMessage
WScript.Quit(1)
End Sub

Sample Code (VBScript) - Query CAPICOM

Yale Li — Thu, 30 Mar 2006 00:00:00 GMT

This script queries capicom com object to get cert expiration date. Capicom.dll must be installed and registered in order to run this script. If you need additional cert info, you can just add more CAPICOM Cert object properties to my sample code.

Option Explicit
on error resume next
Const CAPICOM_MY_STORE = "My"
Const CAPICOM_LOCAL_MACHINE_STORE = 1
Const CAPICOM_CURRENT_USER_STORE = 2
Const CAPICOM_STORE_OPEN_READ_ONLY = 0
Const CAPICOM_EKU_CLIENT_AUTH = 2
Const CAPICOM_EKU_CODE_SIGNING = 3
Const CAPICOM_EKU_EMAIL_PROTECTION = 4
Const CAPICOM_EKU_SERVER_AUTH = 1
Const CAPICOM_EKU_OTHER = 0
Const CR_DISP_ISSUED = &H3
Const CR_OUT_CHAIN = &H100
Const CR_OUT_BASE64 = &H1
Const CERT_SYSTEM_STORE_LOCAL_MACHINE = &H20000
Const CR_IN_BASE64 = &H1
Const CR_IN_PKCS10 = &H100

Dim Wshshell, Wshfile, oCert, oStore, return, certname, validto, expirationdate, computername, systemroot, cn, sn
Set Wshshell = CreateObject("Wscript.shell")
Set Wshfile = CreateObject("Scripting.FileSystemObject")
computername = WshShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
systemroot = WshShell.ExpandEnvironmentStrings("%SYSTEMROOT%")

REM *** Query cert Store and Update new server records ***
Set oStore = CreateObject ("CAPICOM.Store")
oStore.Open CAPICOM_LOCAL_MACHINE_STORE, CAPICOM_MY_STORE, CAPICOM_STORE_OPEN_READ_ONLY

For Each oCert in oStore.Certificates
cn = Split(oCert.SubjectName,",")
sn = Split(cn(0),"=")
certname = sn(1)
validto = Split(oCert.ValidToDate," ")
expirationdate = validto(0)
WScript.Echo " server name: " & computername
WScript.Echo " certname: " & certname
WScript.Echo " Valid To: " & expirationdate
End If
Next

REM *** Completion and Cleanup
Set Wshshell = nothing
Set Wshfile = nothing
Set oStore = nothing

Sample Code (VBScript) - Compare Two AD Groups and Get Membership Difference

Yale Li — Sun, 26 Mar 2006 08:00:00 GMT

If you want two AD groups with the same membership but are afraid of mis-sync, I have a sample script to find the delta:

On Error Resume Next
Dim strGroup1, strGroup2, iArgs, oArgs

iArgs = Wscript.arguments.count
Set oArgs = Wscript.arguments

strGroup1 = "cn=" & oArgs(0) & ",ou=ou_name,dc=child_domain_name,dc=parent_domain_name,dc=c0m"
strGroup2 = "cn=" & oArgs(1) & ",ou=ou_name,dc=child_domain_name,dc=parent_domain_name,dc=c0m"

Set objGroup1 = GetObject("LDAP://" & strGroup1)
objGroup1.GetInfo
arrMemberOf1 = objGroup1.GetEx("member")

Set objGroup2 = GetObject("LDAP://" & strGroup2)
objGroup2.GetInfo
arrMemberOf2 = objGroup2.GetEx("member")

WScript.Echo oArgs(0) & " Members not in " & oArgs(1)
For Each strMember in arrMemberOf1
    strUser1 = split(strMember,",")
    if (StrComp(InGroup2(strUser1(0)),"no") = 0) then
    strUser = split(strUser1(0),"=")
    WScript.echo strUser(1)
    end if
Next
WScript.Echo " "

WScript.Echo oArgs(1) & " Members not in " & oArgs(0)
For Each strMember in arrMemberOf2
    strUser2 = split(strMember,",")
    if (StrComp(InGroup1(strUser2(0)),"no") = 0) then
    strUser = split(strUser2(0),"=")
    WScript.echo strUser(1)
    end if
Next
WScript.Echo " "

Function InGroup1(strMember2)
InGroup1 = "no"
For Each strMember in arrMemberOf1
strUser1 = split(strMember,",")
if (StrComp(strMember2,strUser1(0)) = 0) then InGroup1 = "yes"
Next
' Wscript.Echo strMember2 & " " & InGroup1
End Function

Function InGroup2(strMember1)
InGroup2 = "no"
For Each strMember in arrMemberOf2
strUser2 = split(strMember,",")
if (StrComp(strMember1,strUser2(0)) = 0) then InGroup2 = "yes"
Next
' Wscript.Echo strMember1 & " " & InGroup2
End Function

Sample Code (C#) - Provision User Accounts and Groups with MIIS

Yale Li — Sun, 26 Mar 2006 06:00:00 GMT

Here is my sample code to provision AD use accounts and groups using MIIS MV Extension:

// Use Visual Studio to build
using System;
using Microsoft.MetadirectoryServices;

namespace Mms_Metaverse
{
    public class MVExtensionObject : IMVSynchronization
    {
       public MVExtensionObject()
        {
        }

        void IMVSynchronization.Initialize ()
        {
        }

        void IMVSynchronization.Terminate ()
        {
        }

  void IMVSynchronization.Provision (MVEntry mventry)
  {
   ConnectedMA ManagementAgent;
   int Connectors;
   ReferenceValue dn;
   string container;
   string rdn;
   CSEntry CSentry;

   // Get the ActiveDirectory Management Agent
   ManagementAgent = mventry.ConnectedMAs["AD_MA_Name"];
   Connectors = ManagementAgent.Connectors.Count;

   if(0 == Connectors)
   {
    if (mventry.ObjectType == "person" )
    {
     container = "OU=OU_Name,DC=Domain_Name,DC=com";
     if(mventry["cn"].IsPresent)
       {
        rdn = "CN=" + mventry["cn"].Value;
        dn = ManagementAgent.EscapeDNComponent(rdn).Concat(container);
       }
       else
       {
        throw new UnexpectedDataException();
       }
     CSentry = ManagementAgent.Connectors.StartNewConnector("user");
     CSentry.DN = dn;
     CSentry["unicodepwd"].Values.Add("Initial_Password");
     CSentry["cn"].Value = mventry["cn"].Value;
     CSentry["sAMAccountName"].Value = mventry["sAMAccountName"].Value;
     CSentry["displayName"].Value = mventry["displayName"].Value;
     CSentry["givenName"].Value = mventry["givenName"].Value;
     CSentry["mail"].Value = mventry["mail"].Value;
     CSentry["mailNickname"].Value = mventry["mailNickname"].Value;
     CSentry["sn"].Value = mventry["sn"].Value;
     CSentry["title"].Value = mventry["title"].Value;
     CSentry["telephoneNumber"].Value = mventry["telephoneNumber"].Value;
     CSentry["userAccountControl"].IntegerValue = 66080; // Enable the account
     CSentry.CommitNewConnector();
    }

    if (mventry.ObjectType == "group" )
    {
     container = "OU=OU_Name,DC=Domain_Name,DC=com";
     if(mventry["cn"].IsPresent)
     {
      rdn = "CN=" + mventry["cn"].Value;
      dn = ManagementAgent.EscapeDNComponent(rdn).Concat(container);
     }
     else
     {
      throw new UnexpectedDataException();
     }
     CSentry = ManagementAgent.Connectors.StartNewConnector("group");
     CSentry.DN = dn;
     CSentry["cn"].Value = mventry["cn"].Value;
     CSentry["sAMAccountName"].Value = mventry["sAMAccountName"].Value;
     CSentry["groupType"].IntegerValue = 8; // you can change type
     CSentry.CommitNewConnector();
    }
   }
  }

        bool IMVSynchronization.ShouldDeleteFromMV (CSEntry csentry, MVEntry mventry)
        {
            throw new EntryPointNotImplementedException();
        }
    }
}

Sample Code (T-SQL) - Protecting Identity Data with SQL 2005 Data Encryption

Yale Li — Sun, 26 Mar 2006 05:00:00 GMT

There are multiple ways to protect (encrypt) data with SQL 2005: either using certificate or password.

Here is my code sample to use a password to encrypt identity data (assuming the identity table name as tblIdentity_SmartCard table, the identity data column as Identiy_PIN, and GUID as column with primary key):

CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'replace_with_real_password'

CREATE ASYMMETRIC KEY asymPW1 WITH ALGORITHM = RSA_1024 ENCRYPTION by Password = 'Str0ngPa$$w0rd'

CREATE SYMMETRIC KEY symPW1 WITH ALGORITHM = DES

ENCRYPTION BY ASYMMETRIC KEY asymPW1

OPEN SYMMETRIC KEY symPW1 DECRYPTION BY ASYMMETRIC KEY asymPW1 WITH Password = 'Str0ngPa$$w0rd'

Declare @keyGUID UNIQUEIDENTIFIER

SET @keyGUID = (Select key_guid from sys.symmetric_keys WHERE name = 'symPW1')

Insert Into tblIdentity_SmartCard (Identiy_PIN) Values (EncryptByKey(@keyGUID, 'replace_with_PIN_data',1))

Select GUID, Identiy_PIN from tblIdentity_SmartCard

Select GUID, Convert(varchar,DecryptByKey(Identiy_PIN, 1))

from tblIdentity_SmartCard

Close SYMMETRIC KEY symPW1

Sample Code (C++) - Scan Certificate Expiration Date Remotely

Yale Li — Sun, 26 Mar 2006 04:00:00 GMT

It is hard to find a tool to check certificate expiration date on a remote machine without logon locally. Here is my code to accomplish this job:

// to build: cl scancert.cpp -link crypt32.lib
//------------------------------------------------------

#include <windows.h>
#include <wincrypt.h>
#include <stdlib.h>
#include <stdio.h>
#include <shlwapi.h>
const char *s1 = "\\my";
void listlocalcertstore(char const * const s);

void main(int argc, char** argv)
{
   if (argc != 2) {
      printf("Usage %s servername\n", argv[0]);
      exit(1);
   }
   char *s2 = (char*)malloc( (strlen(s1) + strlen(argv[1]) +1) * sizeof(char));
   if( s2 == NULL) {
      printf("Can not allocate memory on s2\n");
      exit(1);
   }
   strcpy(s2, argv[1]);
   strcat (s2, s1);

char *s0 = (char*)malloc( (3 + strlen(s2)) * sizeof(char));

   if( s0 == NULL) {
      printf("Can not allocate memory on s0\n");
      exit(1);
   }
   strcpy(s0,"\\\\");
   strcat (s0, s2);
   listlocalcertstore(s0);
   free(s2);
   free(s0);
}

void HandleError(char *s);

void listlocalcertstore(char const * const pszStoreName) {
   HANDLE          hStoreHandle;
   PCCERT_CONTEXT pCertContext=NULL;
   PCCERT_CONTEXT pDupCertContext;
   PCERT_PUBLIC_KEY_INFO pOldPubKey = NULL;
   PCERT_PUBLIC_KEY_INFO pNewPubKey;
   char pszNameString[256];
   wchar_t pwszStoreName[256];
   swprintf(pwszStoreName, L"%S", pszStoreName);
   hStoreHandle = CertOpenStore(
      CERT_STORE_PROV_SYSTEM,
      0,
      NULL,
      CERT_SYSTEM_STORE_LOCAL_MACHINE,
      pwszStoreName
   );

   if(hStoreHandle)
   {
      // printf("The %s store has been opened. \n", pszStoreName);
   }
   else
   {
      HandleError("The store was not opened.");
   }

/* Find the certificates in the system store. */

   while(pCertContext = CertEnumCertificatesInStore(hStoreHandle, pCertContext)) {
      /* Get and display the name of subject of the certificate. */
      if(CertGetNameString(pCertContext, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, pszNameString, 128)) {
             printf("\nCertificate: %s \n",pszNameString);
      }
      else
      {
             HandleError("CertGetName failed.");
      }

      if(CertGetNameString(pCertContext, CERT_NAME_SIMPLE_DISPLAY_TYPE, CERT_NAME_ISSUER_FLAG, NULL, pszNameString, 128)) {
             // printf("Issuer %s \n",pszNameString);
      }
      else
      {
             HandleError("CertGetName failed.");
      }

      FILETIME expirytime;
      SYSTEMTIME systime;
      expirytime = pCertContext->pCertInfo->NotAfter;
      FileTimeToSystemTime(&expirytime, &systime);
      printf("Expiry date: %d %d %d\n", systime.wYear, systime.wMonth, systime.wDay);
   }
   CertCloseStore(hStoreHandle, 0);
}

void printError(DWORD messageId) {
LPSTR pBuf;

   if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, NULL, messageId, 0, (LPSTR) &pBuf, 0, NULL)) {
      fprintf(stderr, "%s\n", pBuf);
      LocalFree(pBuf);
   }
   else
   {
      fprintf(stderr, "Error %d (0x%x)\n", messageId);
   }
}

void HandleError(char *s)
{
   DWORD dwErr = GetLastError();
   fprintf(stderr,"An error occurred in running the program. \n");
   fprintf(stderr,"%s\n",s);
   fprintf(stderr, "Error number %x.\n", dwErr);
   printError(dwErr);
   fprintf(stderr, "Program terminating. \n");
   exit(1);
}

Sample Code (Command) - Windows Vista Domain Join with smart card

Yale Li — Sun, 26 Mar 2006 03:00:00 GMT

After you require smart card interactive logon in your environment, the traditional domain join will not work because you don't have a password. Windows Vista resolves this problem by allowing domain join with smart card. However, this new feature will work only if you have Root CA certifcate on smart card.

Here is how to enroll Root CA cert on smart card:

1. Run "certutil –scroots deploy" from command line to enrollment Root CA cert

2. Run "certutil –scroots view" to verify the cert

Certutil with new scroots switch is a built-in tool in Windows Vista.

After you load Root CA cert, you will be able to select a smart card instead of username/password, and enter the PIN to join a domain.