Not supported CyberArk Login Scenario

[begunrom]

I was trying to login using the latest PsPas version on CyberArk 11.2, but failed to do so.

The current setup requires windows authentication to access the PCWA website. We are using passtrue authentication for this. Once authenticated you cannot change the login name any more in PVWA. It is fixed. Then we use radius authentication with OTP to login.

I can use Invoke-WebRequest -URI "https://pam.test.org/PasswordVault/api/Auth/Windows/Logon" -Method POST -UseDefaultCredentials to authenticate the pvwa. Result : StatusCode : 200 StatusDescription : OK Content : {"AdditionalInfo":"","UserName":"test"} RawContent : HTTP/1.1 200 OK Pragma: no-cache api-supported-versions: 11.0 Cache-Control: no-cache, no-store, must-revalidate Content-Type: application/json; charset=utf-8 Expires: -1 Set-Cookie: CA22222=; p... Forms : {} Headers : {[Pragma, no-cache], [api-supported-versions, 11.0], [Cache-Control, no-cache, no-store, must-revalidate], [Content-Type, application/json; charset=utf-8]...} Images : {} InputFields : {} Links : {} ParsedHtml : mshtml.HTMLDocumentClass RawContentLength : 39

Then I tried: New-PASSession -Credential $cred -BaseURI https://pam.test.org -type RADIUS -OTP 123456 -OTPMode Challenge

The error I get is `VERBOSE: POST https://pam.test.org/PasswordVault/api/Auth/RADIUS/Logon with 0-byte payload Invoke-PASRestMethod : [403] Authentication failure. At C:\Users\test\temp\Powershell\CyberArkTest_radius.ps1:25 char:15

• $PASSession = Invoke-PASRestMethod @LogonRequest

• 
  + CategoryInfo          : NotSpecified: ({"ErrorCode":"P...tion failure."}:ErrorRecord) [Invoke-PASRestMethod], Exception
  + FullyQualifiedErrorId : PASWS035E,Invoke-PASRestMethod`
  It looks to me that I need to pass the coockie from the first request to the second, so the system knows that I already authenticated against windows. I do not get any token sent, so we are not that far that the second web request does something.

Can you help?

[pspete]

The module requires certain variables to be set in the module scope; your initial Invoke-WebRequest happens outside of the module scope, so will not affect any subsequent module commands.

Windows + RADIUS is not a logic flow present in the module, only Windows auth alone:

New-PASSession -UseDefaultCredentials -BaseURI $url

[pspete]

Now supported & available in psPAS 3.5 - from the master branch, github release & PowerShell Gallery.

.EXAMPLE
New-PASSession -Credential $cred -BaseURI https://PVWA -type Windows -OTP 123456 -OTPMode Challenge

Perform initial Windows authentication and respond to secondary RADIUS challenge

.EXAMPLE
New-PASSession -Credential $cred -BaseURI https://PVWA -type Windows -OTP passcode -OTPMode Challenge

Perform initial authentication and then get prompted to supply OTP value for RADIUS challenge.