Closed randombuffalo closed 3 years ago
The password used for OAuth2 does not go through ULR encoding as it is part of the body/arguments for the request and not the URL itself. The allowed passwords is based on the Local User Password Configuration but to date has accepted any special character that a keyboard can type.
Import-Module C:\temp\modules\Thycotic.SecretServer\0.52.0\Thycotic.SecretServer.psd1 -PassThru
$cred = [pscredential]::new('testappaccount',(ConvertTo-SecureString 'P@ssword${123}' -AsPlainText -Force))
$session = New-TssSession -SecretServer http://rc/SecretServer -Credential $cred
Show-TssCurrentUser -TssSession $session
@wsmelton thanks for the first look here. That is interesting you didn't run into the issue. Did you try a password that ends with #
or {
as well?
Sure did (see below screenshot).
Okay, I'm am but a lowly user of the Secret Server instance at my organization so I will see if I can get a test account to really wrench around with.
Maybe worth mentioning for the issue's sake, both accounts were domain accounts that ran into this issue.
Verified with domain accounts as well.
If this is an account that is accessing the UI successfully I can't really see how it would not work in PowerShell credential.
If you find any more details out on the failure and it pinpoints to still be the module you can reopen this (and update the original post) or just open a new one.
@wsmelton I was able to test further today and verify that indeed certain passwords will not work with the PowerShell module. Changing the password to a URL-Encoded string before saving it to the $oauth2Body
variable on Line 132 has shown to allow passwords with unsafe URL characters to successfully authenticate to the REST API.
I changed the line to the following:
$oauth2Body = "username=$($Credential.Username)&password=$([System.Web.HTTPUtility]::UrlEncode($Credential.GetNetworkCredential().Password))&grant_type=password"
Could you please re-open this issue if you are able to re-produce this? I've added some example passwords to the issue.
Fix will be out this week.
Changes tested successfully with the following passwords:
Import-Module .\src\Thycotic.SecretServer.psd1
$cred = [pscredential]::new('testappaccount',(ConvertTo-SecureString 'Oo57A&5srfAdo@' -AsPlainText -Force))
New-TssSession http://rc/SecretServer $cred
$cred = [pscredential]::new('testappaccount',(ConvertTo-SecureString 'Oo57A5srfAdo@&' -AsPlainText -Force))
New-TssSession http://rc/SecretServer $cred
$cred = [pscredential]::new('testappaccount',(ConvertTo-SecureString 'G*z2X1oluL31jD&#' -AsPlainText -Force))
New-TssSession http://rc/SecretServer $cred
Verified issue does not already exist?
Yes
What error did you receive
Passwords that contain special characters that are not URL valid will cause New-TssSession to return
{"error":"Login Failed."}
and count as a bad password attempt against the Secret Server account in use.I believe the fix would be to URL encode the strings passed as the OAuth body here.
Changing the line 132 of New-TssSession to the following appears to correct the behavior:
Please run the command using -Verbose
No response
Provide a test case or steps to reproduce
Attempt to authenticate with a password with certain unsafe URL characters.
#
or '&' have shown to reproduce this issue thus far.Example passwords:
Oo57A&5srfAdo@
Oo57A5srfAdo@&
G*z2X1oluL31jD&#
Expected behavior
valid passwords should authenticate without error.
What Edition of Secret Server?
Other
What version of Secret Server
10.9
What PowerShell host was used when producing this error
Windows PowerShell (powershell)
PowerShell Host Version
Name Value
PSVersion 5.1.14393.4583
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.4583
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1