New-TssSession not processing Credential properly

CermakPOI commented 3 years ago

Verified issue does not already exist?

No

What error did you receive

New-TssSession uses winauthwebservices even for credential. In version 0.42.0 it works as expected.


PS C:\Users\User> $global:POITSSSession = New-TssSession @paramNewTssSession -ErrorAction Stop -Verbose
VERBOSE: Provided command parameters: New-TssSession -SecretServer: -Credential:CredentialObject -ErrorAction:Stop -Verbose:$True
VERBOSE: SecretServer host: https://Myinstance.secretservercloud.eu/
VERBOSE: Performing the operation "Requesting OAuth2 token from https://Myinstance.secretservercloud.eu/ with URI of [https://Myinstance.secretservercloud.eu/oauth2/token]" on target "https://Myinstance.secretservercloud.eu/".
VERBOSE: Performing the operation POST  with: username=[User4connection]&password=[hidden]&grant_type=password
WARNING: Issue authenticating to [https://Myinstance.secretservercloud.eu/]
{"error":"Login failed."}
At C:\Program Files\WindowsPowerShell\Modules\Thycotic.SecretServer\0.50.1\functions\authentication\New-TssSession.ps1:162 char:25
+                         throw $_.Exception
+                         ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], Exception
    + FullyQualifiedErrorId : {"error":"Login failed."}

PS C:\Users\User> $global:POITSSSession

SecretServer        : https://Myinstance.secretservercloud.eu/
SecretServerVersion :
ApiVersion          : api/v1
WindowsAuth         : winauthwebservices
ApiUrl              : https://Myinstance.secretservercloud.eu/winauthwebservices/api/v1
AccessToken         :
RefreshToken        :
TokenType           : WindowsAuth
ExpiresIn           : 0
StartTime           : 16.08.2021 08:45:29
TimeOfDeath         : 01.01.0001 00:00:00
Take                : 2147483647

Please run the command using -Verbose

No response

Provide a test case or steps to reproduce

PS C:\Users\User> $paramNewTssSession

Name                           Value
----                           -----
SecretServer                   https://Myinstance.secretservercloud.eu
Credential                     System.Management.Automation.PSCredential

PS C:\Users\User> Get-Module Thycotic.SecretServer

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     0.50.1     Thycotic.SecretServer               {Start-TssLog, Stop-TssLog, Write-TssLog, Add-TssEventPipeline...}

PS C:\Users\User> $global:POITSSSession = New-TssSession @paramNewTssSession -ErrorAction Stop
WARNING: Issue authenticating to [https://Myinstance.secretservercloud.eu/]
{"error":"Login failed."}
At C:\Program Files\WindowsPowerShell\Modules\Thycotic.SecretServer\0.50.1\functions\authentication\New-TssSession.ps1:162 char:25
+                         throw $_.Exception
+                         ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], Exception
    + FullyQualifiedErrorId : {"error":"Login failed."}

PS C:\Users\User> $global:POITSSSession

SecretServer        : https://Myinstance.secretservercloud.eu/
SecretServerVersion :
ApiVersion          : api/v1
WindowsAuth         : winauthwebservices
ApiUrl              : https://Myinstance.secretservercloud.eu/winauthwebservices/api/v1
AccessToken         :
RefreshToken        :
TokenType           : WindowsAuth
ExpiresIn           : 0
StartTime           : 16.08.2021 08:45:29
TimeOfDeath         : 01.01.0001 00:00:00
Take                : 2147483647

PS C:\Users\User> Remove-Module Thycotic.SecretServer
PS C:\Users\User> Import-Module Thycotic.SecretServer -RequiredVersion 0.42.0
PS C:\Users\User> $global:POITSSSession = New-TssSession @paramNewTssSession -ErrorAction Stop
PS C:\Users\User> $global:POITSSSession

SecretServer        : https://Myinstance.secretservercloud.eu/
SecretServerVersion : 10.9.000064
ApiVersion          : api/v1
ApiUrl              : https://Myinstance.secretservercloud.eu/api/v1
AccessToken         : [hidden]
RefreshToken        : [hidden]
TokenType           : bearer
ExpiresIn           : 1199
StartTime           : 16.08.2021 08:58:46
TimeOfDeath         : 16.08.2021 09:18:45
Take                : 2147483647

Expected behavior

Use webservices instead of winauthwebservices as in older, working versions.

What Edition of Secret Server?

Cloud Subscription

What version of Secret Server

11.0

What PowerShell host was used when producing this error

Windows PowerShell (powershell)

PowerShell Host Version

Name Value

PSVersion 5.1.14393.4530 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.14393.4530 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1

wsmelton commented 3 years ago

The verbose output shows that it is using OAuth2 authentication. It takes the credential provided and creates the body object with grant_type = 'password'.

VERBOSE: Performing the operation "Requesting OAuth2 token from https://Myinstance.secretservercloud.eu/ with URI of [https://Myinstance.secretservercloud.eu/oauth2/token]" on target "https://Myinstance.secretservercloud.eu/".

What format is the credential you are passing?

CermakPOI commented 3 years ago

My Script has been working befor upgrading the Module to the new version. The old version is still working!

The issue is that it connects to and returns winauthwebservices event though a crendtial Object is passed.

It's PSCredential in this form UserName Password

svcTSS System.Security.SecureString

wsmelton commented 3 years ago

I am unable to replicate the issue you are seeing. The logical workflow of New-TssSession has not been changed since version 0.33.1, what is in 0.42.0 still exists as-is in 0.50.1, and in the release pushed out yesterday (0.51.0).

The only way it sets IWA is if a specific parameter is provided:

https://github.com/thycotic-ps/thycotic.secretserver/blob/5dfa43e57c686b9070aed7c5397e4ff3ab04a7f1/src/functions/authentication/New-TssSession.ps1#L116-L118

A small mention, the use of Remove-Module Thycotic.SecretServer will not completely remove the module from your PowerShell session now that it uses a binary library. The cleanest way with testing between versions will be to restart your PowerShell session.

wsmelton commented 3 years ago

I'm not able to reproduce this in the latest release. I would recommend a few things to try out:

In a new PowerShell session try the below (based on your example):

Import-Module Thycotic.SecretServer -MinimumVersion 0.51.0
$poitsssession = New-TssSession @paramNewTssSession
$poitsssession | select TokenType

If that still returns the Windows Auth being used verify your $PSDefaultParameterValues is not trying to default the UseWindowsAuth parameter.
You can open the module directory in VS Code (with PowerShell ext) and then add a breakpoint on line 105 of the New-TssSession.ps1 file. Start the debugger and run your example code and you will be able to step through the code line by line.

In the next release (0.52.0) I am adding more verbose output to New-TssSession to help troubleshoot this a bit more. In version 0.48.0 the module had the PowerShell classes converted to a C# library but logically that command has stayed the same since Windows Auth support was added in v0.30.0 on February 2, 2021.

thycotic-ps / thycotic.secretserver