Error running commands after authenticating

[mwjcomputing]

I am trying to use psPAS and am having a hard time getting it to function. For example, if I ran the following command I get the error below.

$Session = New-PASSession -credential $(Get-Credential) -baseURI https://cyberarkurl
$Session | Get-PasSafe

Error: Invoke-PASRestMethod : Unable to cast object of type 'System.Management.Automation.PSObject' to type 'System.String'.

This happens when trying to run any command. Below is my $PSVersionTable.

Name Value PSVersion 3.0 WSManStackVersion 3.0 SerializationVersion 1.1.0.1 CLRVersion 4.0.30319.42000 BuildVersion 6.2.9200.22198 PSCompatibleVersions {1.0, 2.0, 3.0} PSRemotingProtocolVersion 2.2

Thoughts?

[pspete]

Hi @mwjcomputing - I have not seen this come up (until now). The commands look good, which makes me think an error object is perhaps causing an issue in the function that calls the web service - just a guess at this point. I run PowerShell version 5.1, so cannot test in 3.0 (but I am not aware of any script features which are not supported in v3).

Can you run: $VerbosePreference = "Continue"; $DebugPreference="Continue" Then run your commands again - if you can share the verbose/debug output, it may shed some more light on what is happening.

Also - the version of CyberArk will inform which commands from the module can be run - Get-PASSafe is only available from 9.7 onwards

[mwjcomputing]

Here is the information with information specific to my environment changed as I am posting on the internet.

PS C:\Users\user> $session = New-PASSession -Credential $(Get-Credential) -BaseURI 'https://cyberarkurl'

cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: Credential DEBUG: Function: Get-PASParameter DEBUG: Removing Parameter: Debug DEBUG: Removing Parameter: ErrorAction DEBUG: Removing Parameter: ErrorVariable DEBUG: Removing Parameter: OutVariable DEBUG: Removing Parameter: OutBuffer DEBUG: Removing Parameter: PipelineVariable DEBUG: Removing Parameter: Verbose DEBUG: Removing Parameter: WarningAction DEBUG: Removing Parameter: WarningVariable DEBUG: Removing Parameter: WhatIf DEBUG: Removing Parameter: Confirm DEBUG: Removing Parameter: sessionToken DEBUG: Removing Parameter: BaseURI DEBUG: Removing Parameter: AccountID DEBUG: Removing Parameter: SessionVariable DEBUG: Removing Parameter: WebSession DEBUG: Removing Parameter: PVWAAppName DEBUG: Removing Parameter: Credential DEBUG: Function: Invoke-PASRestMethod DEBUG: Security Protocol: Tls12 DEBUG: [URI, https://cyberarkurl/PasswordVault/WebServices/auth/Cyberark/CyberArkAuthenticationService.svc/Logon] [Method, POST] [Body, { "username": "username", "password": "password" }] [SessionVariable, PASSession] [ContentType, application/json] VERBOSE: POST https://cyberarkurl/PasswordVault/WebServices/auth/Cyberark/CyberArkAuthenticationService.svc/Logon with 73-byte payload VERBOSE: received 503-byte response of content type application/json; charset=utf-8 DEBUG: Status code: 200 VERBOSE: SessionVariable Passed; Processing WebSession PS C:\Users\user> $session | Get-PASSafe DEBUG: Function: Invoke-PASRestMethod DEBUG: Security Protocol: Tls12 DEBUG: [URI, https://cyberarkurl/PasswordVault/WebServices/PIMServices.svc/Safes] [Method, GET] [Headers, System.Collections.Hashtable] [WebSession, Microsoft.PowerShell.Commands.WebRequestSession] [ContentType, application/json] DEBUG: Unable to cast object of type 'System.Management.Automation.PSObject' to type 'System.String'. DEBUG: Status code: Invoke-PASRestMethod : Unable to cast object of type 'System.Management.Automation.PSObject' to type 'System.String'. At C:\Users\user\Documents\WindowsPowerShell\Modules\pspas\Functions\Safes\Get-PASSafe.ps1:148 char:13

• $result = Invoke-PASRestMethod -Uri $URI -Method GET -Headers $sessionToken -W ...

• 
  + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
  + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-PASRestMetho

[pspete]

Thanks for that @mwjcomputing

I can see the 'New-PASSession' call gets a status code of 200 from the CyberArk Web Service, but whatever response is coming back from the 'Get-PASSafe' call is causing an exception that lands the script in a catch block.....

I am trying to somehow replicate the behavior here (no luck yet). I may be able to provide an edited 'Invoke-PASRestMethod' function that may get further towards understanding the failure.

[pspete]

this may help....

Using your exisiting $session variable, the actual command being run when Get-PASSafe is executed is:

Invoke-WebRequest -uri https://cyberarkurl/PasswordVault/WebServices/PIMServices.svc/Safes `
-method GET -headers $($session.sessionToken) -websession $($session.WebSession) -ErrorAction Stop

can you run that and see if it suceeds?

I get the following:

StatusCode        : 200
StatusDescription : OK
Content           : {"GetSafesResult":[{"ManagingCPM":"PasswordManager","NumberOfDaysRetention":null,"NumberOfVersionsRetention":25,"OLACEnabled":false,"SafeName":"AccountsFeedADAccounts"}...
RawContent        : HTTP/1.1 200 OK
                    Pragma: no-cache
                    Content-Length: 3168
                    Cache-Control: no-cache, no-store, must-revalidate
                    Content-Type: application/json; charset=utf-8
                    Expires: -1
                    Set-Cookie: CA22222=; path=/Pas...
Forms             : {}
Headers           : {[Pragma, no-cache], [Content-Length, 3168], [Cache-Control, no-cache, no-store, must-revalidate], [Content-Type, application/json; charset=utf-8]...}
Images            : {}
InputFields       : {}
Links             : {}
ParsedHtml        : mshtml.HTMLDocumentClass
RawContentLength  : 3168

[mwjcomputing]

I get the following.

Invoke-WebRequest : Unable to cast object of type 'System.Management.Automation.PSObject' to type 'System.String'. At line:1 char:1

• Invoke-WebRequest -uri https://cyberarkurl/PasswordVault/WebServices/PIMServices ...

• 
  + CategoryInfo          : NotSpecified: (:) [Invoke-WebRequest], InvalidCastException
  + FullyQualifiedErrorId : System.InvalidCastException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

I am trying to get a system with WMF 5.1 installed to see if it is a 3.0 issue while you look at this.

[mwjcomputing]

Running on WMF 5.1 seems to have resolved the issues. Can't get it to work on any WMF3 systems.

[pspete]

I am almost certain there is nothing in the module not supported on WMF3.

Thanks for the report regardless, I'll see if the minimum version requirements for the module need to be changed. Glad you have it working .

[mwjcomputing]

Yeah. I was looking through your code and completely agree. It might be internal systems.

[mattmcnabb]

@pspete @mwjcomputing I remember that there were some changes to the webrequest cmdlets from v3.0 to v4.0, but these things are hard to track down. I'm inclined to believe this might be a problem with the way the SessionToken hashtable is constructed. Maybe try using an explicit string for the Authorization value instead of Select -expandproperty

[pspete]

Will give this a go @mattmcnabb - thanks for the suggestion.

[pspete]

@mwjcomputing - if you are able, can you see if New-PASSession.ps1 from the issue-43 branch causes the same error on WMF3?

[mwjcomputing]

@pspete That works on WMF3. Just was able to pull a list of safes.

[pspete]

Thanks for testing & confirming @mwjcomputing. Kudos @mattmcnabb - spot on with the resolution.

Will get this merged to Master