Closed walidhammad closed 1 year ago
I can still connect with older module + issue#402 work around and do everything I need
$ Get-PASSession
User BaseURI ExternalVersion WebSession
---- ------- --------------- ----------
xxxxx@xxxxxxxxx https://xxxxxxxx.privilegecloud.cyberark.cloud/PasswordVault 13.0.0 Microsoft.PowerShell.Commands.WebRequestSession
$ Get-PASServer
ExternalVersion InternalVersion ServerName
--------------- --------------- ----------
13.0.0 13.0.0.9 Vault
$ Get-PASLoggedOnUser
AgentUser : False
Disabled : False
Email :
Expired : False
ExpiryDate :
FirstName : Privilege
LastName : user
Location : \
Source : Internal
Suspended : False
UserName : xxxxx@xxxxxxxxx
UserTypeName : EPVUser
It would be expected for both a username & the version information to be included in the get-passession
output...
If the "WebSession" object is examined, does it include a bearer token?
PS C:\Users\petem> Get-PASSession | Select -ExpandProperty WebSession | select -ExpandProperty Headers
Key Value
--- -----
Authorization Bearer SomeLongStringSomeLongStringSomeLongStringSomeLongStringSomeLongString...
Yes
Get-PASSession | Select -ExpandProperty WebSession | select -ExpandProperty Headers
Key Value
--- -----
Authorization Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjRBOTJBRkUxRjIxMkZCQTJEN0M2MDg4NjE3N0ZGRTMxNEZCMkE1QTgiLCJ4NXQiOiJTcEt2NGZJUy…
is the https://xxxxxxx.privilegecloud.cyberark.cloud/PasswordVault
value from Get-PASSession
as expected?
does it match the value you see when using the issue #402 workaround?
Yes
Get-PASSession | Select -ExpandProperty WebSession | select -ExpandProperty Headers Key Value --- ----- Authorization Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjRBOTJBRkUxRjIxMkZCQTJEN0M2MDg4NjE3N0ZGRTMxNEZCMkE1QTgiLCJ4NXQiOiJTcEt2NGZJUy…
Can you see if the Bearer token is able to be used outside of the module? Like described here: https://github.com/pspete/psPAS/issues/464#issuecomment-1494864685
is the
https://xxxxxxx.privilegecloud.cyberark.cloud/PasswordVault
value fromGet-PASSession
as expected?does it match the value you see when using the issue #402 workaround?
No, the xxxxxxx returned is the identity tenant, which is in https://xxxxxxx.id.cyberark.cloud/oauth2/platformtoken instead of the privilege cloud pvwa name https://xyz.privilegecloud.cyberark.cloud/PasswordVault
Yes
Get-PASSession | Select -ExpandProperty WebSession | select -ExpandProperty Headers Key Value --- ----- Authorization Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjRBOTJBRkUxRjIxMkZCQTJEN0M2MDg4NjE3N0ZGRTMxNEZCMkE1QTgiLCJ4NXQiOiJTcEt2NGZJUy…
Can you see if the Bearer token is able to be used outside of the module? Like described here: #464 (comment)
I can by replacing baseurl with https://xyz.privilegecloud.cyberark.cloud/PasswordVault instead of https://xxxxxxx.privilegecloud.cyberark.cloud/PasswordVault and it returns users.
OK, so your scenario is that the Identity & Privilege Cloud subtenant names are different? Will investigate how to cater for this.
@pspete The URL that is used for "Identity" (Authentication, user updates, etc) operations will always go to a URL that uses "????.my.idaptive.app" (???? Assigned by CyberArk) while any operation that goes to a "PCloud" (Accounts, Safes, Ownership, etc) will go to the "{subdomain}.id.cyberark.cloud" (Subdomain chosen by the tenant)
This line is using a incorrect URL
New-PASSession.ps1
$LogonRequest['Uri'] = "https://${TenantSubdomain}.id.cyberark.cloud/oauth2/platformtoken"
This line needs to be updated to use the "Identity" tenant then the code should work.
Suggestion:
New-PASSession.ps1
[Parameter(Mandatory = $true, ValueFromPipeline = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'SharedServices')] [string]$IdentityID,
$LogonRequest['Uri'] = "https://${IdentityID}.id.cyberark.cloud/oauth2/platformtoken"
Note that $Uri being set is correct and should use the TenantSubdomain, it is just the oauth token request that needs to go to the "Identity" Uri
New-PASSession.ps1
$Uri = "https://${TenantSubdomain}.privilegecloud.cyberark.cloud/$PVWAAppName"
1st generation URLs (like ????.my.idaptive.app) are not yet catered for in the module, we currently assume the URL for current day systems. {subdomain} can be configured as a tenant URL for the Identity portal, which should allow authentication to proceed.
Nevertheless, will work to add some additional logic into the module to cater for different configurations.
It si expected that most Shared Services implementations will be configured so that Identity and Privileged Cloud portal addresses share a common subdomain.
Where this is not the case, and Identity and Privilege Cloud portals do not share an identical subdomain, in the latest psPAS release 5.6.135, subdomain values or portal URL values can be specified independently: https://pspas.pspete.dev/docs/authentication/#shared-services-authentication
1st generation URLs (like ????.my.idaptive.app) are not yet catered for in the module, we currently assume the URL for current day systems. {subdomain} can be configured as a tenant URL for the Identity portal, which should allow authentication to proceed.
Nevertheless, will work to add some additional logic into the module to cater for different configurations.
Thank you! The last release works by giving me the options to specify identitysubdomain and tenantsubdomain.
The reason we cannot have them be the same is due to it being Identity Security Platform tenant which makes identitysubdomain a pre generated string
Great it works for you. I Don't think a custom domain/ vanity URL is the same thing as a Tenant subdomain.
The process for adding a custom domain is a lot more involved than adding a subdomain.
I Don't think a custom domain/ vanity URL is the same thing as a Tenant subdomain.
It is
https://docs.cyberark.com/Idaptive/Latest/en/Content/GetStarted/CustomDomain.htm
Describe the issue While the new module update to include ISPSS seems to connect, I cannot access any of the cmdlets results.
To Reproduce Installing the module Connecting to ISPSS using service account Running cmdlets
Expected behavior I expect to be able to get results for any of the cmdlets of this module.
Your Environment Windows: Name Value
PSVersion 7.3.3 PSEdition Core GitCommitId 7.3.3 OS Microsoft Windows 10.0.22621 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0
Mac: Name Value
PSVersion 7.3.3 PSEdition Core GitCommitId 7.3.3 OS Darwin 22.3.0 Darwin Kernel Version 22.3.0: Mon Jan 30 20:38:37 PST 2023; root:xnu-8792.81.3~2/RELEASE_ARM64_T60… Platform Unix PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0
Additional context Add any other context about the problem here.