search

cyberark / epv-api-scripts

These API scripts enable CyberArk users to automate privileged account management task like account creation, user management, and more.
https://www.cyberark.com/best
Apache License 2.0
203 stars 176 forks source link

AOU - OTP Property Assignment Exception #242

Closed pgnhdcrt closed 1 year ago

pgnhdcrt commented 2 years ago

Summary

When attempting to perform RADIUS authentication using an OTP, Accounts_Onboard_Utility.ps1 fails at line 1047 (in Function Get-LogonHeader) when attempting to modify hash value $logonBody.Password, but $logonBody was converted to a scalar back at line 1042...

Suggested solution is to remove the ConvertTo-Json calls at 1042 and 1044, then add it as part of Invoke-Rest at line 1052:

If ($concurrentSession){
        $logonBody = @{ username=$Credentials.username.Replace('\','');password=$Credentials.GetNetworkCredential().password;concurrentSession="true"}# | ConvertTo-Json -Compress
    } else {
        $logonBody = @{ username=$Credentials.username.Replace('\','');password=$Credentials.GetNetworkCredential().password }# | ConvertTo-Json -Compress
    }
    If(![string]::IsNullOrEmpty($RadiusOTP)) {
        $logonBody.Password += ",$RadiusOTP"
    }

    try{
        # Logon
        $logonToken = Invoke-Rest -Command Post -Uri $URL_Logon -Body ($logonBody | ConvertTo-Json -Compress)

Steps to Reproduce

  1. Call the script with -AuthType radius -OTP xxx
  2. See the error

Expected Results

OTP value is properly appended to the Password property, script continues.

Actual Results

The property 'Password' cannot be found on this object. Verify that the property exists 
and can be set.
At C:\TEMP\CyArk\Accounts_Onboard_Utility.ps1:1047 char:3
+         $logonBody.Password += ",$RadiusOTP"
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : PropertyAssignmentException

Reproducible

Version/Tag number

Script date 2022-MAR-09

bab29 commented 2 years ago

Does this occur when a account only uses OTP and no password? If only OTP is in use the OTP token should be passed at the password. Can you confirm if this flow works?

Ross-Y commented 2 years ago

@bab29 I have reported the same issue, I just realized mine is a duplicate. I tried searching, but not often working with GitHub, so my apologies for this.

OTP alone should not work, as in case password will be empty, the resulting OTP string will be ",123456" - which shouldn't work as it contains coma.