search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
286 stars 90 forks source link

Unable to pass local password to New-PASSession as SecureString #444

Closed sudipto-roychoudhury closed 1 year ago

sudipto-roychoudhury commented 1 year ago

Describe the issue Trying to authenticate using New-PASSession using local CyberArk creds passed as a PSCredential object fails.

To Reproduce Steps to reproduce the behavior: Using the code below :

$secpasswd = ConvertTo-SecureString $CybLocalpass -AsPlainText -Force $psPASCreds = New-Object System.Management.Automation.PSCredential($CybLocaluser,$secpasswd) New-PASSession -Credential $psPASCreds -BaseURI "https://pvwa"

The local password is retrieved using CyberArk's CLIPasswordSDK.exe whose output is stored in the variable $CybLocalpass so that password is not stored in plaintext in the script. I have verified that this output is the correct password which works when passed as a $PSCredential object using "Read-Host -AsSecureString". I need this to be working non-interactively and hence the above code.

Expected behavior A successful login via psPAS verified by Get-PASLoggedOnUser

Screenshots & Console Output image


<--Invoke-PASRestMethod : [500] CASW062E Input parameter for [Password] value is invalid
At line:451 char:19
+                 $PASSession = Invoke-PASRestMethod @LogonRequest
+                               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: ({"ErrorCode":"C...ue is invalid"}:ErrorRecord) [Invoke-PASRestMethod], Exception
    + FullyQualifiedErrorId : CAWS00001E,Invoke-PASRestMethod-->

Your Environment Include relevant details about your environment

Additional context I am trying to set up a Windows Sch Task which will run a Powershell Script to query All CyberArk Accounts using the psPAS module and for this I am using a local CyberArk credential with Vault Admin permissions. Hence this needs to work non-interactively.

pspete commented 1 year ago

Get-AIMCredential from our CredentialRetriever module has a ToCredential() method available to convert CLIPasswordSDK.exe output into the expected format.

sudipto-roychoudhury commented 1 year ago

Wow ! Great ! Just tried this out (CredentialRetriever's ToCredential() method) and it works like a charm.

Set-AIMConfiguration -ClientPath "C:\Program Files (x86)\CyberArk\ApplicationPasswordSdk\CLIPasswordSDK.exe"
$CPCredential = Get-AIMCredential -AppID blah -Safe ASafe -UserName imp_usr -RequiredProps Username,Address
$CPCredentialObj = $CPCredential.ToCredential()
New-PASSession -Credential $CPCredentialObj -BaseURI "https://pvwa"
Get-PASLoggedOnUser
Get-PASAccount -id XXXX

Thanks @pspete