Is it possible to somehow cast or convert a WindowsIdentity type to PSCredential type?
I am sure others will have their take on this, but here are a few things as I understand them that would make this a real challenge and not prudent as a operational deal.
[Security.Principal.WindowsIdentity]::GetCurrent(), gives you information about your authenticated identity on the network. It does not contain any info about the user password
(https://msdn.microsoft.com/en-us/library/system.security.principal.windowsidentity(v=vs.110).aspx),
which is needed by System.Management.Automation.PSCredential
Remember, the goal of GetNetworkCredential
(which of course is a method System.Management.Automation.PSCredential), is to breakdown your user name into separate Domain and UserName strings and hands you the credential password in clear text.
For network, client access, PSCredential will not work without a valid password being provided. Of course, if you personally entered the information, you and only you can reverse it, not some remote person or service.
Think about it for a moment. Can you imagine the risk ramifications of being able to do this unabated?
Being able to just pull, dynamically, all the auth entropy of the current logged on user. This would be an instant ESP (impersonation / escalation of privilege) problem. Password obfuscation, length, complexity, with an approach like this would be meaningless. Think Pth (Pass the Hash -like attacks) situations without ever needing toe grab the hash.
Imagine, firing off a remote session to any remote host (regardless of who is logged on to it), leveraging what you state here, thus impersonating (with all their rights and privileges) the user to do very nefarious things or even just mean things (changing their passwords, desktop settings, ADDS attributes, say if they are allowed to change there Picture, phone number, maiden name, etc. all being recorded in the audit logs as if that user did it). You could log into their personal human resource files, passing the cred object to the HR website, etc. I am sure that is not your intent (at least I hope not), but still.
All that being said, if you are after user impersonation, then there are resources that present approaches on how to do this. Yet, as you look at the code to do it, it's more involved than just what you are asking for in the MS PowerShell Gallery, but even it expects you to pass it a real cred object not a WI object.
Reaching out across a network requires a full identity, user and password. Every time to try and touch a resource you have not yet touched, or who has not in a long while, you KDC (domain controller) will be engaged and without full creds the KDC Kerb TGT will fail.
Update
shivesh suman
As for ---
Thanks. Regarding: "Yet, as you look at the code to do it, it's more involved than just what you are asking for ..." - Would it be possible for you to point me to some of the code that you are referring to in your comment?
Here is the code I was referring to.
Impersonate a User
New-ImpersonateUser uses the LogonUser method from the advapi32.dll to get a token that can then be used to call the WindowsIdentity.Impersonate method in order to impersonate another user without logging off from the current session. You can pass it either a PSCredential or each field separately. Once impersonation is done, it is highly recommended that Remove-ImpersonateUser (a function added to the global scope at runtime) be called to revert back to the original user.
https://gallery.technet.microsoft.com/scriptcenter/Impersonate-a-User-9bfeff82