New-PASSession (LastError key is registering an error yet successful connection)

[acastrellon-mh]

Hi Pete - I was testing out the new version recently released. Im not yet on ISPSS, working to get there, hence why Im looking into newest release.

In the meantime, I will continue to use api to privilege cloud as usual. I noticed my scripts fail to run because I initiate calling a connect function. If no error during connection, it runs my script. Previously I had no issues while on version 6.1.62. After switching the module to this version 6.3.78, I started seeing an error.

The error is even before I run my portion of the script. Im using a CyberARk local account to run the new-passession. The session gets created but its showing it had some error present during the connection, yet the connection was still successful and I can run api commands no issue, but the connection threw an error. I know I can change my script portion to not look for any erros, but I would like to know what is happening.

Run: New-PASSession -Credential $mycred -BaseURI "https://something.privilegecloud.cyberark.com" -type "CyberARk"

Note: if I ommit -type "CyberaRk" still goes thru, guess thats the default.

Output: this command runs successfully (although it captures an error) and I can run a get-pasaccount with results successfully.

If I run $session = Get-PasSession

$session Output:

Name Value

---

BaseURI https://something.privilegecloud.cyberark.com/PasswordVault
User SomeAccount_Local
ExternalVersion 14.1.0
WebSession Microsoft.PowerShell.Commands.WebRequestSession
StartTime 4/10/2024 9:25:36 AM
ElapsedTime 00:00:11
LastCommand System.Management.Automation.InvocationInfo
LastCommandTime 4/10/2024 9:25:36 AM
LastCommandResults
LastError ...
LastErrorTime 4/10/2024 9:25:36 AM

Notice last error time is same as connection start. After looking at error, this is what I get.

Run: $session.values

Output: https://something.privilegecloud.cyberark.com/PasswordVault SomeAccount_Local

Major Minor Build Revision

---

14 1 0 -1

Headers : {[Authorization, SOME TOKEN INFO HERE} Cookies : System.Net.CookieContainer UseDefaultCredentials : False Credentials : Certificates : UserAgent : Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.5576 Proxy : MaximumRedirection : -1

DisplayHint : DateTime Date : 4/10/2024 12:00:00 AM Day : 10 DayOfWeek : Wednesday DayOfYear : 101 Hour : 9 Kind : Local Millisecond : 986 Minute : 0 Month : 4 Second : 49 Ticks : 638483364499860549 TimeOfDay : 09:00:49.9860549 Year : 2024 DateTime : Wednesday, April 10, 2024 9:00:49 AM

00:00:20

MyCommand : Get-PASLoggedOnUser BoundParameters : {[ErrorAction, Stop]} UnboundArguments : {} ScriptLineNumber : 817 OffsetInLine : 15 HistoryId : 47 ScriptName : Line : $User = Get-PASLoggedOnUser -ErrorAction Stop

PositionMessage : At line:817 char:15

• $User = Get-PASLoggedOnUser -ErrorAction Stop

• 
  PSScriptRoot          : 
  PSCommandPath         : 
  InvocationName        : Get-PASLoggedOnUser
  PipelineLength        : 1
  PipelinePosition      : 1
  ExpectingInput        : False
  CommandOrigin         : Internal
  DisplayScriptPosition : 

DisplayHint : DateTime Date : 4/10/2024 12:00:00 AM Day : 10 DayOfWeek : Wednesday DayOfYear : 101 Hour : 9 Kind : Local Millisecond : 126 Minute : 0 Month : 4 Second : 50 Ticks : 638483364501266893 TimeOfDay : 09:00:50.1266893 Year : 2024 DateTime : Wednesday, April 10, 2024 9:00:50 AM

Invoke-WebRequest :

Service
BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; } #content { margin-left: 30px; font-size: .70em; padding-bottom: 

2em; } A:link { color: #336699; font-weight: bold; text-decoration: underline; } A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; } A:active { color:

336699; font-weight: bold; text-decoration: underline; } .heading1 { background-color: #003366; border-bottom: #336699 6px solid; color: #ffffff; font-family: Tahoma;

font-size: 26px; font-weight: normal;margin: 0em 0em 10px -20px; padding-bottom: 8px; padding-left: 30px;padding-top: 16px;} pre { font-size:small; background-color: #e5e5cc; padding: 5px; font-family: Courier New; margin-top: 0px; border: 1px #f0f0e0 solid; white-space: pre-wrap; white-space: -pre-wrap; word-wrap: break-word; } table { border-collapse: collapse; border-spacing: 0px; font-family: Verdana;} table th { border-right: 2px white solid; border-bottom: 2px white solid; font-weight: bold; background-color: #cecf9c;} table td { border-right: 2px white solid; border-bottom: 2px white solid; background-color: #e5e5cc;}

  Service
  Endpoint not found.

At line:227 char:19

• ... $APIResponse = Invoke-WebRequest @PSBoundParameters -ErrorAction Stop

• 
  + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
  + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

DisplayHint : DateTime Date : 4/10/2024 12:00:00 AM Day : 10 DayOfWeek : Wednesday DayOfYear : 101 Hour : 9 Kind : Local Millisecond : 111 Minute : 0 Month : 4 Second : 50 Ticks : 638483364501110631 TimeOfDay : 09:00:50.1110631 Year : 2024 DateTime : Wednesday, April 10, 2024 9:00:50 AM

Again, I can simply use a workaround like this.. example: New-PASSession -Credential $mycred -BaseURI "https://something.privilegecloud.cyberark.com" -type "CyberARk" $Error.clear()

run any command to ensure connection established

$CheckError = Get-PASUserLoginInfo

If (!($Error)){ Run my script} Else {$Error}

My bet is on this: Get-PASLoggedOnUser Result: Invoke-PASRestMethod : Service BODY color 000000 background color white font family Verdana margin left 0px margin top 0px content margin left 30px font size 70em padding bottom 2em A link color 336699 font weight bold text decoration underline A visited color 6699cc font weight bold text decoration underline A active color 336699 font weight bold text decoration underline heading1 background color 003366 border bottom 336699 6px solid color ffffff font family Tahoma font size 26px font weight normal margin 0em 0em 10px 20px padding bottom 8px padding left 30px padding top 16px pre font size small background color e5e5cc padding 5px font family Courier New margin top 0px border 1px f0f0e0 solid white space pre wrap white space pre wrap word wrap break word table border collapse collapse border spacing 0px font family Verdana table th border right 2px white solid border bottom 2px white solid font weight bold background color cecf9c table td border right 2px white solid border bottom 2px white solid background color e5e5cc Service Endpoint not found At line:16 char:13

• $result = Invoke-PASRestMethod -Uri $URI -Method GET

• 
  + CategoryInfo          : NotSpecified: (
  
  S...nd.

:ErrorRecord) [Invoke-PASRestMethod], Exception

• FullyQualifiedErrorId : 404,Invoke-PASRestMethod

Any thoughts why this is happening?

• PowerShell Version:
• psPAS Version: '6.3.78'
• CyberArk Version: 14.1

[pspete]

For Privilege Cloud Standard, the "Get logged on user details API" that Get-PASLoggedOnUser uses is deprecated - hence reporting of the error.

https://docs.cyberark.com/privilege-cloud-standard/Latest/en/Content/Privilege%20Cloud/PrivCloud-RNs-2023-v14.0.htm?tocpath=Get%20Started%7CWhat%27s%20new%20v14.2%7CPrivilege%20Cloud%20releases%20-%20Previous%20versions%7C2023%20Privilege%20Cloud%20releases%7C_____2#Platformendofsupport

We query for the logged on user name once after the initial authentication to make it available via Get-PASSession. If an error is encountered, the user name from the used credential object is stored instead.

[acastrellon-mh]

Thanks for the response Pete. Being that its deprecated, will it get removed from the new-passession function in a followup version?

[pspete]

No, because it is still valid for self-hosted solutions. A future update may prevent it from being able to be run in Shared Services - but that will still result in an error being caught during the authentication process currently.