chasem12345
commented
3 years ago Couple additional notes: API User has no MFA, and site uses HTTPS. It will return the last commands output, but it will not run new commands
Closed chasem12345 closed 3 years ago
chasem12345
commented
3 years ago Couple additional notes: API User has no MFA, and site uses HTTPS. It will return the last commands output, but it will not run new commands
jazzbanzai
commented
3 years ago Same issue here, missing the "x-anti-forgery-token:" in the header.
] https://server.screenconnect.com/Services/PageService.ashx/AddEventToSessions { "authorization": "Basic *****************/", "content-type": "application/json; charset=utf-8", "origin": "https://server.screenconnect.com/" } VERBOSE: POST https://server.screenconnect.com/Services/PageService.ashx/AddEventToSessions with -1-byte payload Invoke-CWCWebRequest : An exception has been thrown. --> The remote server returned an error: (403) Forbidden. An error has been thrown. --> --> {"errorType":"UnauthorizedAccessException","message":"Invalid anti-forgery token","detail":null}
jazzbanzai
commented
3 years ago I found a fix
$loginResponse = Invoke-WebRequest -Method GET -Uri "https://$SERVER.screenconnect.com" -Headers $Headers -UseBasicParsing
#regex == (?<=antiForgeryToken":")(.*)(?=","isUserAdministrator)
$Regex = [Regex]::new('(?<=antiForgeryToken":")(.*)(?=","isUserAdministrator)')
$Match = $Regex.Match($loginResponse.content)
If($Match.Success) {
Write-Host "antiForgeryToken found" -ForegroundColor Yellow
$antiForgeryToken = $Match.Value.ToString()
$antiForgeryToken
}then use the antiForgeryToken in the Headers for AddEventToSessions
$URI = 'https://$SERVER.screenconnect.com/Services/PageService.ashx/AddEventToSessions'
$Headers = @{
'authorization' = "Basic $encodedCredentials"
'content-type' = "application/json; charset=utf-8"
'origin' = "https://$Server"
'x-anti-forgery-token' = $antiForgeryToken
}
I'm new to github, so not sure how to contribute/add this code.
christaylorcodes
commented
3 years ago I am sorry but I can't reproduce this issue. I have tested on-prem and hosted. Control Version: 21.8.3663.7830 Module Version: 0.1.4.0
jazzbanzai
commented
3 years ago Hi Chris
I am using the same version. ScreenConnect_21.8.3663.7830_Release Only difference I can think of is I have SSO enabled (SAML) to Microsoft365. Although the account I am using for the API/Powershell is Internal Source and no MFA. Also using the "Security Toolkit" Version: 1.2.2 -- not sure if this is adding the x-anti-forgery-token
christaylorcodes
commented
3 years ago I have the same. The origin header should satisfy the 'x-anti-forgery-token' requirement. Do you have your server behind a reverse proxy or something where there might be a name mismatch? https://docs.connectwise.com/ConnectWise_Control_Documentation/Developers/External_API_calls_to_ConnectWise_Control
chasem12345
commented
3 years ago That's most likely it. We are using a reverse proxy.
Any idea what I need to stick into nginx to get it working without the workaround @jazzbanzai noted?
christaylorcodes
commented
3 years ago Should be resolved in version 0.2.0.0 bd2a363ff92f7811f6a85b369b495825d1faf95d
jazzbanzai
commented
3 years ago Should be resolved in version 0.2.0.0 bd2a363
Thanks Chris. I'm using the cloud version - so not sure if its setup behind a reverse-proxy. Anyway glad its fixed.
Other commands seem to be working fine. When running:
Invoke-CWCCommand -Group "All Sessions" -GUID 'GUID-HERE' -Command 'ipconfig'I get the following: