search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
295 stars 91 forks source link

New-PASSession: Invoke-WebRequest : Specified value has invalid CRLF characters. #448

Closed mkanet closed 1 year ago

mkanet commented 1 year ago

Describe the issue I am unable to successfully authenticate using OSUser authentication when using New-PASSession -UseDefaultCredentials. The result is an invalid/unusable session due to the API endpoint returning invalid characters for the respective session.

To Reproduce Steps to reproduce the behavior:

  1. New-PASSession -UseDefaultCredentials -BaseURI https://cyberpass.ourorganization.com -PVWAAppName MyApp
  2. Immediately afterwards, if I type Get-PASLoggedOnUser and press enter, I get the respective exception below:
Invoke-WebRequest : Specified value has invalid CRLF characters.
Parameter name: value
At line:216 char:19
+ ... $APIResponse = Invoke-WebRequest @PSBoundParameters -ErrorAction Stop
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Invoke-WebRequest], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

If I type Get-PASSession, I get the below result:

User BaseURI                                ExternalVersion WebSession
---- -------                                --------------- ----------
     https://cyberpass.ourorganization.com/MyApp 0.0             Microsoft.PowerShell.Commands.WebRequestSession

NOTE: On the CyberArk web interface, my CyberArk app MyApp is configured for OSUser authentication (Windows ActiveDirectory user). The only thing I did was type my Windows ActiveDirectory username myusername in the field where I need to specify the user account. Do I need to also specify my AD domain like ADDomain\mysername? Do I need to surround the username with quotes? I'm not sure what format to use for the user account since the interface doesn't even check/validate if the username I typed in.

I'm not sure why the server would return invalid CRLF characters. I'm not sure what I should try next to resolve this issue. I've spent days on this; and, not making any progress. I'd really appreciate any help you can offer to get this to work.

Your Environment Include relevant details about your environment

pspete commented 1 year ago

Have you tried windows authentication without the use of the -UseDefaultCredentials switch, providing your windows credentials instead? i.e.

$cred = Get-Credential
New-PASSession -Credential $cred -BaseURI https://cyberpass.ourorganization.com -PVWAAppName MyApp -type Windows

specify the username for the credential object in the same format you would use to login to PVWA

mkanet commented 1 year ago

Thank you for responding!

We're currently looking for a fully automatic way to retreive passwords via psPASS since we already authenticate into AD every day when we login to our Windows desktops (using our smartcards + respective PIN).

Currently we have to use our web browser to visit our Cyberark webpage, then authenticate using our Smartcard + Smartcard PIN... which is very tedious to do every day.

Having said that, I did try to do what you asked $cred = Get-Credential; New-PASSession -Credential $cred.... However, it kept telling me that the username was wrong. I tried both DOMAIN\adusername as well as just adusername along with respective password.

Im not sure if I'm doing something wrong or our Cyberark Admins just don't know how to configure authentication correctly on the backend for -UseDefaultCredentials.

pspete commented 1 year ago

Currently we have to use our web browser to visit our Cyberark webpage, then authenticate using our Smartcard + Smartcard PIN...

This appears different to the method you are attempting via the module? There is an example for pki auth in the docs. Consider confirming with your CyberArk Admins which authentication method to use.

mkanet commented 1 year ago

Thanks. I will talk to them. They didn't have much experience with setting up authentication for us.

My understanding is that -UseDefaultCredentials doesn't require us to use a certificate (such as the one associated with our smartcards); instead, re-using only the existing authentcated Windows Desktop session.

Maybe I've been wrong all this time on how -UseDefaultCredentials should be used. Anyway, thank you for your time. I don't think theres more I can do until our Cyberark Admins figure out which authentication solution is fully automated... not requiring to manually type a Smartcard pin code.

mkanet commented 1 year ago

@chrisdma yes, I finally have a working solution. I was having trouble with PsPAS because it doesn't appear that PsPAS even has Smartcard authentication + PIN authentication. Our CyberARK person provided me with a set of custom CyberARK PowerShell functions (unrelated to PsPAS module) that will authenticate via Smartcard +PIN, then retrieve the new password for an account.

Also, if you recently logged into your Windows PC with your Smartcard + PIN, you won't be prompted again for the smartcard PIN when the script retrieves the password...making it fully automatic.

mkanet commented 1 year ago

@pspete What are the chances you could provide Smartcard+PIN authentication to New-PASSession? If New-PASSession already has full support for Smartcard + PIN authentication, could you please give us an example code on how to do this?

pspete commented 1 year ago

@mkanet - are you able to share your working code for Smartcard + PIN authentication? chances of being able to include the functionality in the module would increase significantly with a working example to refer to.

mkanet commented 1 year ago

@mkanet - are you able to share your working code for Smartcard + PIN authentication? chances of being able to include the functionality in the module would increase significantly with a working example to refer to.

@pspete I would LOVE to share this piece of code to incorporate into psPAS. However, unfortunately this code was not developed by me. It was written by a Cyberark contractor at our organization. I will talk to him on Monday and check with his boss to see if it's OK to share this code. I've been testing it for a few weeks now... it seems to work very well. I will let you know either way on Monday.

mkanet commented 1 year ago

@pspete I just spoke with our developer about this. He mentioned that he already spoke to you at a recent CyberArk conference about this.

pspete commented 1 year ago

He mentioned that he already spoke to you at a recent CyberArk conference about this.

In that case... Can you test the initial commit of the PKIPN authentication capability currently present in the pkipn branch?

If it works for you, we can promote into dev and get it into the next psPAS release :)

pspete commented 1 year ago

Another user confirmed that it appears to work - so hopefully appears the same way for you also?

mkanet commented 1 year ago

@pspete I sorry I have been very busy the last few days. I will try this ASAP. I just downloaded the initial commit of the PKIPN branch.

Could you please give me an example command-line to use to test the new pkipn authentication capability? I will be able to test this tomorrow at work.

mkanet commented 1 year ago

@pspete Below are the steps I used. Could you please tell me if it is working correctly?

import-module -Name psPAS      #using latest pkipn branch code
Add-Type -AssemblyName System.Security
$Cert = Get-ChildItem -path 'Cert:\CurrentUser\My' | ? { $_.FriendlyName -match 'Authentication -' }
New-PASSession -BaseURI "cyberpass.ourcompany.com" -type PKIPN -Certificate $Cert
Get-passession

Result:

User               BaseURI                                      ExternalVersion WebSession
----                -------                                         --------------- ----------
MKANET       https://cyberpass.ourcompany.com/PasswordVault 12.6.3          Microsoft.PowerShell.Commands.WebRequestSession

. .

NOTE: Unfortunately, sometimes when I execute the below command, instead of it returning the result above, it produces an error:

New-PASSession -BaseURI "cyberpass.ourcompany.com" -type PKIPN -Certificate $Cert

Result:

Invoke-PASRestMethod : [405]
At line:546 char:19
+                 $PASSession = Invoke-PASRestMethod @LogonRequest
+                               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: ({"Message":"The...method 'GET'."}:ErrorRecord) [Invoke-PASRestMethod], Exception
    + FullyQualifiedErrorId : Invoke-PASRestMethod

. . Also...

Get-PASSafe -SafeName "MySafeName"

Result

Invoke-PASRestMethod : [401]
At line:230 char:13
+ ...   $result = Invoke-PASRestMethod -Uri $URI -Method GET -WebSession $S ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: ({"ErrorCode":"C...rorMessage":""}:ErrorRecord) [Invoke-PASRestMethod], Exception
    + FullyQualifiedErrorId : CAWS00001E,Invoke-PASRestMethod
pspete commented 1 year ago

PKIPN auth now added into the latest release: https://pspas.pspete.dev/docs/authentication/#pkipn-authentication-example

Troubleshooting or advising on the "Method Not Allowed" and "Unauthorised" status codes you see is tricky as we don't have PKIPN setup in any environment to replicate.

You can potentially test the process outside of the module to see if it occurs when not using psPAS: https://pspas.pspete.dev/docs/troubleshooting/#manual-api-command-testing

This will confirm if it is due to code in the module or not.

If you do find additional information which points to a resolution let us know via a new issue.