simpleSAMLphp on IIS from scratch (with AD FS)

With this article, I want to go through each step of the configuration to install simpleSAMLphp on IIS from scratch (with AD FS): this will work for multiple SPs!

This will allow you to set up single sign on on all your web applications, directing the users to login with your identity provider (AD FS for this guide).

The steps will be showing you how to deploy simpleSAMLphp in IIS and also how to link it to an existing AD FS environment, which will be used as the IdP.

Also, with this guide, you’ll be able to deploy multiple web applications on the same web server that will be able to leverage a single simpleSAMLphp installation.

(more…)

Read More

Run a Powershell script from PHP

Running a Powershell script from PHP is easier than I expected. I was pretty new to this as well, but after a while I manage to build some pretty nice automatized tasks that help a lot with small processes.

Of course, if you’re using Windows Powershell, you’ll need to run these script from a Windows Server/Client.

If you’re in a Windows environment, the best way to go is installing PHP in IIS. I recommend using the latest PHP version (at the time of writing, we’re at 7.2), you can grab it from https://php.iis.net, or you can launch the Web Platform Installer if you’ve already got it in IIS.

Possibilities

Many! You really have a huge playground here to develop whatever you need. Here’s a few examples:

  • Automate the creation of an AD account and allow access to the web end to just the Help Desk team.
    • What does this mean? You’ll no longer need to delegate permissions to the entire Help Desk team, you’ll just need to delegate permissions to the service account running the Application Pool in IIS. Also, because nobody else has permissions, you can choose the way you want this AD Account to be created (base OU, syntax, password length, settings etc).
  • Allow users to change a specific setting in their AD Account.
    • Imagine a large organization, you may want to delegate as many tasks as possible. For example, say we’re ok to trust the users to change their own Phone Numbers in AD. You can build a script that will allow to do that, at your own conditions and expose a small web interface to allow the user to see the current phone number and change it.
  • Allow the Help Desk and Desktop Teams to view a share’s NTFS permissions.
    • Once again, no need to provide access to the share, just the service account will need access. You’ll build a script that will grab the ACL from a share and return just that, based on the User’s input.

These are very basic examples of course. For instance, I’ve also built a tool that will allow Group’s managers to add/remove users to these groups. Super handy. (more…)

Read More

Run a command as a different user in Powershell

There are three main ways to run a command as a different user in Powershell, besides the classing Right click shift. This article will show you how to do that, within the same Powershell session.
By the same Powershell session, I mean something like this:

  • You’re logged on as ITDroplets\UserA.
  • You have a powershell script/console running as UserA.
  • Within that powershell script/console, you want to run a command as ITDroplets\UserB.

In the Options below, I will consider the above example and I will run “Get-Process Explorer” as UserB. This is very handy when running elevated commands, for instance when UserA is a standard user account and UserB has local admin rights. Of course, Get-Process Explorer doesn’t really need elevation 🙂
Remember that the examples are super concentrated, which means I didn’t add any check to see if the command ran successfully etc. They’re there as pure examples, you can then shape them to fit your needs.

Option 1 – System.Diagnostics.ProcessStartInfo

(more…)

Read More

Automating Telegram Messages with Powershell

In this post I will go through automating Telegram Messages with Powershell, including a full script as an example.

Truth to be told, I’ve installed, and first used, Telegram about 3 hours before writing this post, but I saw so much potentials that I couldn’t wait to publish this. Consider also that I was actually after something similar for WhatsApp, but there’s no official API from them yet.

So because I’m such a noob here, I will actually go through the steps I’ve followed to get a Bot configured to work. Note that a Bot is an easier way to handle this sort automation, but if you’re an advanced user, you could look directly into Telegram’s API which will be way more flexible.

What can I actually use this for?

Well, of course you can just do it for fun and be able to send a message via powershell. But that’d be wasting this great potential. If I look out of the box, I see a possibility to build a (cheap) notification system and/or a (cheap) runbook system.

For example, imagine that you’ve got a script running that right now sends you an email once done just to tell you that the script has finished in 30 minutes. Why an email? Isn’t it handier having an actual push-notification on your phone telling you that?

Let’s think bigger, you’re deploying a new Virtual Machine with an automated script and, besides sending you a report via email, you want to know when it’s done so that you perhaps can go and work on the VM you just deployed, without continuously checking the status of the deployment. Or imagine adding a simple Message after an SCCM Task Sequence has been completed or even just use it to alert in case of a low disk space etc.

Now, what I like the most, what if Powershell can read what we’re writing into that conversation and based on that take actions? Like a runbook. Example: you write “Restart-Computer”. The PS script  could have a part of the code that checks every X amount of time if somebody wrote something and if they did, it checks the message. If the message equals to “Restart-Computer” then go and restart the computer. This is a very basic example, but it contain the core of what this can be used for.

Based on this idea, I actually build a very simple runbook automation script to leverage a Telegram message. Check it out here: Building a runbook with Powershell and Telegram

In the example at the end of this article I will be showing you how to send a message to a Telegram group and a possible action take after somebody replies with a specific keyword.

Set a Bot up

I suggest you to use a computer after step 1 as it’s going to be a bit faster in my opinion. This first bit is super simple.

  1. The first thing you want to do is register with Telegram if you haven’t done it yet. To do that, just go and download the app from the store (depending on what smartphone you’ve got).
  2. Launch the BotFather by opening this link: https://telegram.me/botfather
    • Start a conversation with the BotFather by typing /newbot – This will start the Bot creation wizard.
    • At this point, you will be asked to provide a Friendly name and a username. Once that is done, you will be provided with the token to be used in our scripts.
    • Telegram_botfather_create-bot

Time to intercept the Chat ID and run a quick test

So, in order for us to leverage the Bot to send a message, we will need to get the Chat ID of the conversation we want the Bot to talk/listen in. (more…)

Read More

Get GoodWe data with Powershell

I recently had a few solar panels installed over the roof of my house and right after that I thought, how can I get GoodWe data with Powershell?

GoodWe is the brand of the inverter installed, which connects to my home wifi and sends data automatically to the GoodWe Portal. The model I have is the GW4200D-NS.

I have to say that I wasn’t happy with the app I was provided with, neither was I happy with the portal, which refreshes the Real Time Data every 15 minutes! What kind of real time is that? However, to be fairly honest, why would you want to see actual Read Time readings? Well, because I want to. 🙂

Before looking for a solution on my own, I always search online, I don’t want to re-invent the wheel, so I found a post where I got the main idea: https://brnrd.eu/misc/2016-03-13/goodwe-logging-to-pvoutput.html . This post describes a way of grabbing the data from a non-Windows environment.

Important: I am not (nor is the post above) grabbing the data directly from the inverter, but I am leveraging the GoodWe portal information. An idea I have is to sniff the traffic the inverter sends to goodwe, capture it and re-utilise it, however I’m not too interested in that yet as the solution I have works fine.

Edit 20180605: GoodWe has started using HTTPS, so the previous script got broken because of this. I’ve updated it (just changed the URL from http to https) and the script is working as usual.

(more…)

Read More