Closed MarcGroot closed 11 months ago
pspete
commented
1 year ago There is zero available documentation I can find on PKIPN authentication with the API.... and currently I have no suitable environment to investigate.
Can you share any example code (i.e. using Invoke-WebRequest, or InvokeRestMethod) which allows you to successfully authenticate using PKIPN in your environment?
MarcGroot
commented
1 year ago Dear pspete,
when i edited New-PASSesion to allow PKIPN and used this piece of code: `Add-Type -AssemblyName System.Security
$MyCerts = [System.Security.Cryptography.X509Certificates.X509Certificate2[]](Get-ChildItem Cert:\CurrentUser\My)
$Cert = [System.Security.Cryptography.X509Certificates.X509Certificate2UI]::SelectFromCollection( $MyCerts, 'Choose a certificate', 'Choose a certificate', 'SingleSelection' ) | select -First 1
New-PASSession -Credential $cred -BaseURI $url -type PKIPN -Certificate $Cert Get-passession`
i get valid session. Server log looks like this:
2023-04-13 13:32:40 192.168.1.1 POST /PasswordVault/api/Auth/PKIPN/Logon - 443 - 10.1.1.1 Mozilla/x.x(Windows+NT;+Windows+NT+xx.x;+en-US)+WindowsPowerShell/xxxxxxxx.xxx.xx - 200 0 0 319
Also with InvokeRestMethod the authentication is successful:
`$url = "https://ServerName/PasswordVault/API/auth/PKIPN/Logon/" Add-Type -AssemblyName System.Security
$MyCerts = [System.Security.Cryptography.X509Certificates.X509Certificate2[]](Get-ChildItem Cert:\CurrentUser\My) $Cert = [System.Security.Cryptography.X509Certificates.X509Certificate2UI]::SelectFromCollection( $MyCerts, 'Choose a certificate', 'Choose a certificate', 'SingleSelection' ) | select -First 1
$headers = @{ "Content-Type" = "application/json" }
$response = Invoke-RestMethod -Uri $url -Method Post -Headers $headers -Certificate $Cert $response`
Thank you, MarcGroot
pspete
commented
1 year ago Hi @MarcGroot
Can you please test the initial commit of the PKIPN authentication capability currently present in the pkipn branch?
If it works for you, we can promote into dev and get it into the next psPAS release :)
MarcGroot
commented
1 year ago Hi @pspete
I've tried it and pkipn seems to work correctly, but it still requires -credential parameter. I am not sure whether this is not some dependency issue.
Thank you very much, MarcGroot
pspete
commented
1 year ago Thanks for confirming - will get this initial version of the capability included in the next release 🚀
Had made Credential optional (https://github.com/pspete/psPAS/blob/e1f27e8aab73de3f22716fad5b6581dc622a042b/psPAS/Functions/Authentication/New-PASSession.ps1#LL6C4-L6C23) - so odd that it still appears to be required - will look into it
pspete
commented
11 months ago Now added in psPAS release 5.6.135
Describe the issue
To Reproduce Steps to reproduce the behavior:
New-PASSession -Credential $cred -BaseURI $url -type PKIPN -Certificate $Cert New-PASSession -Credential $cred -BaseURI $url -type PKI -Certificate $Cert
Expected behavior
Screenshots & Console Output
New-PASSession : Cannot validate argument on parameter 'type'. The argument "PKIPN" does not belong to the set "CyberArk;LDAP;Windows;RADIUS;PKI" specified by the ValidateSet attribute. Supp ly an argument that is in the set and then try the command again. At line:14 char:54
~+ CategoryInfo : InvalidData: (:) [New-PASSession], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationError,New-PASSessionYour Environment
Thank you for consideration, MarcGroot