Before I was able to store email passwords in the Windows Credential Store and pass them to the Email activities as variables.
How am I going to achieve this since now I can retrieve only secured string which works only in type.
Am I missing something?
As Genfour suggested we need to create an activity that returns a string from a SecureString.
Until then String plainStr = new System.Net.NetworkCredential(string.Empty, secureStr).Password
should work
@badita why don’t you use Get Credential instead of Get Secure Credential if you need the password as string and not secure string?
@andraciorici: there are two Get Credentials
Both return a secured string.
Ok, got it. Well I think adding an activity that makes a secure password, unsecure, defies the security purpose. I would instead add a SecureString argument to activities that need it, like Send Mail.
We could that too. But what’s in it if you can unsecure a secure string via .NET.
Shall we return to unsecured string?
Attached is a workflow that decrypts it using best practices from Microsoft’s MSDN. Missing a try-catch to check if the pass value is null.
Decrypt SecureString.xaml (8.5 KB)
My belief is that if you want to pass a genuinely secure string you should not be able to decrypt it. To make this work you will need to ensure/consider the following:
If you cover both of these then the issue of decrypting the secure string goes away I think.
I’m trying to use “Get Credential” but I only find the “Get Credential” activity of Orchestrator package, so I’m not able to retrieve the credential stored in the Windows Credentials of the local machine
Do you see this activity?
@andraciorici, @Lavinia, @Horia
By exposing this method of retrieving secure password from Windows Credentials Vault we are ultimately compromising the security; as any developer can write this piece of code ant Production system and get the passwords from vault.
How can we avoid this security breach :
This is not true. The reason is that the unassisted robots runs under a Windows Credential that other developers can not access. Therefore they won’t be able to retrieve the passwords stored in production as they can not login to the robot machine under the robot account.
They will have access, of course, to dev/test credentials.
use assign activity:
on the left put your string variable
on the right put this. OutlookPassword is a secure string variable.
new System.Net.NetworkCredential(string.Empty, OutlookPassword).Password
Hi Susana,
I’m not seeing the Credentials folder under System. Is this an add-on or do I need to import a library?
Hi Vaidya,
Could you please upload a sample XAML , how we can pass the password in any website using credential manager???
This is a bug right ?
We shouldn’t be able to get the password in the orchestrator.
Hi @fmsimoes, it’s not a bug and was built that way in vb.net or C# I guess.
The point of the SecureString is so sensitive data is not stored in plain site. I don’t think it was meant as a way to keep programmers 100% from being able to extract that data, since there are times when you need to use it as a string (but it won’t be stored as a string). I know there is definitely security concerns around it. I think though that there is enough auditing happening that using that data in a damaging way would be caught, and what’s the difference in just simply creating a robot to do all that anyway? So, you still need to follow your security guidelines either way.
also, I’m not an expert…
