search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
286 stars 90 forks source link

Get-PASSafeMember returns 500 Internal Server Error #447

Closed jbalcorn closed 1 year ago

jbalcorn commented 1 year ago

Describe the issue Calling Get-PASSafeMembers (Or Add-PASSafeMembers) results in 500 Internal Server error

To Reproduce Steps to reproduce the behavior:

  1. New-PasSession
  2. Call Get-PASSafeMember -safename "$safe" -UseGen1API

Expected behavior Return Safe members

Screenshots & Console Output


PS C:\Users\username> get-passafemember -safename "$safe"  -UseGen1API
Invoke-WebRequest : The remote server returned an error: (500) Internal Server Error.
At line:216 char:19
+ ... $APIResponse = Invoke-WebRequest @PSBoundParameters -ErrorAction Stop
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Your Environment Include relevant details about your environment

Additional context I've been successfully using -PASAccount cmdlets and many others, this is the first time I've tried to work with the -PasSafeMember cmdlets.

I haven't been able to find the web logs that contain the 500 error to get any more information. I've been searching the logs in c:\windows\temp\PVWA but none contain the call to WebServices/PIMServices.svc/Safes as far as I can tell.

I put some debugging code in the module and the call appears to be correct. This is from a call to Add-PasSafeMember

URI: https://nasa54ms.firm.jonesday.net/PasswordVault/WebServices/PIMServices.svc/Safes/VAULT%20NAME/Members
BODY: {
    "member":  {
                   "MemberName":  "username",
                   "SearchIn":  "Vault",
                   "Permissions":  [
                                       {
                                           "Key":  "UseAccounts",
                                           "Value":  true
                                       },
                                       {
                                           "Key":  "RetrieveAccounts",
                                           "Value":  true
                                       },
                                       {
                                           "Key":  "ListAccounts",
                                           "Value":  true
                                       },
                                       {
                                           "Key":  "ViewAuditLog",
                                           "Value":  true
                                       },
                                       {
                                           "Key":  "ViewSafeMembers",
                                           "Value":  true
                                       }
                                   ]
               }
}
jbalcorn commented 1 year ago

I was able to find the error in the WebApplication.log

[24/02/2023 | 16:38:16.152763] | {pid= 7144} | {tid= 3980} | :: | EPVDL005E Application Error! Page=[https://<hostname>/PasswordVault/WebServices/PIMServices.svc/Safes/P-SEC-Testing/Members] Error=[Could not find a base address that matches scheme http for the endpoint with binding WebHttpBinding. Registered base address schemes are [https].] Stack Trace=[ at System.ServiceModel.ServiceHostBase.MakeAbsoluteUri(Uri relativeOrAbsoluteUri, Binding binding, UriSchemeKeyedCollection baseAddresses) at System.ServiceModel.Description.ConfigLoader.LoadServiceDescription(ServiceHostBase host, ServiceDescription description, ServiceElement serviceElement, Action 1 addBaseAddress, Boolean skipHost) at System.ServiceModel.ServiceHostBase.LoadConfigurationSectionInternal(ConfigLoader configLoader, ServiceDescription description, ServiceElement serviceSection) at System.ServiceModel.ServiceHostBase.ApplyConfiguration() at System.ServiceModel.ServiceHostBase.InitializeDescription(UriSchemeKeyedCollection baseAddresses) at System.ServiceModel.ServiceHost..ctor(Type serviceType, Uri[] baseAddresses) at System.ServiceModel.Activation.ServiceHostFactory.CreateServiceHost(Type serviceType, Uri[] baseAddresses) at System.ServiceModel.ServiceHostingEnvironment.HostingManager.CreateService(String normalizedVirtualPath, EventTraceActivity eventTraceActivity) at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(ServiceActivationInfo serviceActivationInfo, EventTraceActivity eventTraceActivity) at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)]

jbalcorn commented 1 year ago

Sounds like an issue with 11.1 rather than PSPas

pspete commented 1 year ago

potentially this: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/Implementing%20Privileged%20Account%20Security%20Web%20Services%20.htm?tocpath=Developer%7CREST%20APIs%7C_____0#RESTAPIdoesnotwork

jbalcorn commented 1 year ago

That was the solution! Thanks, Pete!