search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
295 stars 91 forks source link

O365 and Duo MFA, 403 Errors #421

Closed audioeptesicus closed 2 years ago

audioeptesicus commented 2 years ago

Describe the issue Cyberark, PAM v12.6.0.42, O365 authentication with Duo for MFA. Receiving 403 authentication failures.

To Reproduce See console output below.

Expected behavior Authenticate without error

Screenshots & Console Output


`PS C:\Windows\system32> New-PASSession -Credential $cred -BaseURI "https://companyname.privilegecloud.cyberark.com" -type LDAP
Invoke-PASRestMethod : [403] Authentication failure. Please contact your Administrator.
At line:445 char:19
+                 $PASSession = Invoke-PASRestMethod @LogonRequest
+                               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: ({"ErrorCode":"P...dministrator."}:ErrorRecord) [Invoke-PASRestMethod], E
   xception
    + FullyQualifiedErrorId : PASWS035E,Invoke-PASRestMethod

PS C:\Windows\system32> New-PASSession -Credential $cred -BaseURI "https://companyname.privilegecloud.cyberark.com" -type LDAP -OTP push -OTPMode Append
Invoke-PASRestMethod : [403] Authentication failure. Please contact your Administrator.
At line:445 char:19
+                 $PASSession = Invoke-PASRestMethod @LogonRequest
+                               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: ({"ErrorCode":"P...dministrator."}:ErrorRecord) [Invoke-PASRestMethod], E
   xception
    + FullyQualifiedErrorId : PASWS035E,Invoke-PASRestMethod
`

Your Environment Include relevant details about your environment

pspete commented 2 years ago

Was it working previously? Is it working normally via the UI? Have you tried RADIUS type like EXAMPLE 11? Do you get an MFA prompt in the console when trying EXAMPLE 9?

audioeptesicus commented 2 years ago

Was it working previously? Is it working normally via the UI? Have you tried RADIUS type like EXAMPLE 11? Do you get an MFA prompt in the console when trying EXAMPLE 9?

It was not working previously, and I am able to login to PAM without issues through their web UI. RADIUS types also fail (403), and no MFA prompt from example 9.

pspete commented 2 years ago

Unfortunately, this project doesn't have a Privilege Cloud environment available for any investigation. Hopefully another module user has some insight which may benefit you. What is the authentication option you choose when logging into the UI? What is the underlying authentication method used for the "O365 authentication" you mention?

audioeptesicus commented 2 years ago

Thanks. The option on the login page is Duo, and is one that automatically logs the user in with. The page is there for a second before it just redirects to Duo authentication, which first brings you to the login.microsoftonline.com login page to login with the user's O365/AzureAD credentials. There, Duo prompts the user for MFA, then it's authenticated and logged in to the console.

The config method for PAM/Duo is SSO/SAML.

Edit: Also following Example 8, it fails to get a SAMLResponse.

PS C:\Windows\system32> new-passession -baseuri $url -SAMLAuth
Failed to get SAMLResponse
At line:51 char:11
+         Catch { Throw 'Failed to get SAMLResponse' }
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Failed to get SAMLResponse:String) [], RuntimeException
    + FullyQualifiedErrorId : Failed to get SAMLResponse
pspete commented 2 years ago

In short, for SAML authentication flow, where SSO via IWA isn't possible via the module, you will need to provide the SAMLResponse from your IDP as detailed in EXAMPLE 20 or 21

pspete commented 2 years ago

Closing as no updates to module code identified as required. Provided detail of SAMLResponse parameter value required for auth.