Using PowerShell to retrieve CAC Information

, ,

Using PowerShell to retrieve CAC Information

In this article, we will cover Using PowerShell to retrieve CAC Information

So today, we have a very niche PowerShell tutorial.  If you’re part of DOD or Army IT, you’ll probably recognize this as the scripting component of the FASCN project. For everyone else, I hope there’s something here you can use.


Users have received new smart cards that contain the fourth certificate to be used for Domain authentication. These certificates have a value, that while based on the EDIPI contained in existing certificates, is expanded and will only be used for this one purpose.   Several forests full of domains full of users now have UserPrincipalName (UPN) values that must be updated to take advantage of the new certificate.


PowerShell. Thanks for coming out, everyone. Have a nice night…

Actually, this is a very straightforward script if all you care about is “lines of code.”  Right now, we only wish to collect the FASCN value from each user upon login, so we need something that can run as a scheduled task in the user’s context. We also want to make sure that we don’t get the wrong values. For example, if two smart cards are inserted into a computer (e.g. maybe a technician has logged into a user’s PC to install software), we don’t want the certificate information from the technician’s card to update the account information of the user who was originally logged in.

The Code

  • To start the script, we want to isolate the current user’s UPN, which should be their EDIPI number if you’re rocking that DoD life.  I don’t want to require the ActiveDirectory module on each user’s computer, so we’re going to get it locally with whoami /upn instead. A little bit of string manipulation later, and the @mil is gone, leaving just the number.
  • Next, we have to isolate the certificates from the CAC.  The certificate containing the FASCN is referred to as the Authentication certificate, so we look for that in the FriendlyName value. However, we want to make sure we get a certificate that matches the right user, so we’re also going to make sure the EDIPI value exists in the Subject value. Lastly, we don’t want any expired or cached certificates getting in our way, and checking for the HasPrivateKey value guarantees that the certificate belongs to a CAC that is currently inserted in the reader.
  • We also want to get the user’s email address for this project, so we’re going to check the same values again, except against the Signature certificate. Variables corresponding to both the Signature and Authentication certificates are saved so we can do more work.
  • Both the FASCN and the email address are values saved in their certificates’ Subject Alternative Name values. Unfortunately, the raw data for these values is hideous, so we need a couple of COMobjects to decode them. You can’t use the same one to decode both values, so I create two.  While I’m at it, I save the raw data to some Strings so it’s easier to get.
  • Once you’ve used the COMObjects to decode the raw data. We want to get the strValue values from each of them. There may be some null entries hanging around. So just throw a quick FOR loop in there to only get the entries you want.
  • Now that you have the FASCN and Email values from the certificate. You can output them to a CSV file, write them to a text file. Then write back to Active Directory, or maybe send it to a printer. So you can wallpaper your bodega with useless information.

Now that you have an outline, here is the code that does all the work:

$myEDIPI = (whoami /upn).replace('@mil','')
$comOBJS = @()
$PIVCERT = gci Cert:\CurrentUser\My | ? {$_.Subject -like "*$($myEDIPI)*" -and $_.FriendlyName -like "Authentication -*" -and $_.HasPrivateKey -eq $true}     	 
$EMAILCERT = gci Cert:\CurrentUser\My | ? {$_.Subject -like "*$($myEDIPI)*" -and $_.FriendlyName -like "Signature -*" -and $_.HasPrivateKey -eq $true}     	 
$Extensions=$pivcert.Extensions | Where-Object {$_.Oid.FriendlyName -eq "Subject Alternative Name"}       	 
$EmailAddress=$EMAILCERT.Extensions | Where-Object {$_.Oid.FriendlyName -eq "Subject Alternative Name"}
$comOBJS += new-object -ComObject X509Enrollment.CX509ExtensionAlternativeNames       	 
$comOBJS += new-object -ComObject X509Enrollment.CX509ExtensionAlternativeNames       	 
$comObjs[0].InitializeDecode(1, $FASCNString)       	 
$FASCN = ($comOBJS[0].AlternativeNames | ?{$_.StrValue -like "*$($myEDIPI)*"}  ).strvalue
$comOBJS[1].InitializeDecode(1, $emailString)
$email = ($comOBJS[1].AlternativeNames | ?{$_.StrValue -like "*"}).strvalue
write-host "FASCN discovered: " $FASCN
write-host "Email discovered: " $email

Read more Using PowerShell to retrieve CAC Information

Working with CSV Files

, , ,

Hey everyone, it’s been a little while since my last post, but work’s been busy.  A recurring issue I see on TechNet is that plenty of people have trouble working with importing/exporting CSV files.  Specifically, I see questions about how to modify CSV files. Personally, I don’t see any value in modifying the CSV file directly, but rather importing the data from said file and working with the dataset natively in PowerShell.  Using one person’s thread as an example, he had a CSV file full of IP addresses that corresponded to his VM’s.  He wanted to add data about the VM based on the IP address, but wanted to know how to “modify the line” in the CSV file.    He had already written part of the script to create the CSV by pinging each computer in his IP range and outputting that to CSV.  For our test, here’s what our CSV looks like:

Now, let’s say we want to find the hostnames for each of these computers and add that to a new column. There are a couple ways we could do this, but in an enterprise environment, a good way to do it is to just ask AD who it is.   First, we create the empty “column” for our Hostname value.

Once that’s created, we need to fill it with values:

Keep in mind that you will see a lot of red text for any computer that doesn’t have an entry in AD. This could be a printer, a switch, etc.  If you’re using Windows 8.1+ or Server 2012R2+, you can use the resolve-dnsname cmdlet.
You can add more columns to the CSV by using the Add-Member cmdlet to your heart’s content, and when you’re done, you pipe your $dataset variable back to the export-csv cmdlet.
Really, once you start looking at CSV files as arrays of custom objects, they’re pretty easy to work with.