Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding PKIPN option to cmdlet New-PASSession + Removing "-Credential" as mandatory parameter for PKI(PN) auth #463

Closed
MarcGroot opened this issue Mar 22, 2023 · 6 comments
Closed

Adding PKIPN option to cmdlet New-PASSession + Removing "-Credential" as mandatory parameter for PKI(PN) auth #463

MarcGroot opened this issue Mar 22, 2023 · 6 comments

Comments

@MarcGroot
Copy link

Describe the issue

  1. In ValidateSet attribute for certain parameters in New-PASSession cmdlet is missing PKIPN option (Authentication works properly when edited manually in the cmdlet)
  2. New-PASSession cmdlet requires parameter -Credential $cred which is not used during PKI/PKIPN authentication

To Reproduce
Steps to reproduce the behavior:

  1. See below
  2. Using Example 12 from: https://pspas.pspete.dev/commands/New-PASSession

New-PASSession -Credential $cred -BaseURI $url -type PKIPN -Certificate $Cert
New-PASSession -Credential $cred -BaseURI $url -type PKI -Certificate $Cert

Expected behavior

  1. PKIPN should be accessible via this cmdlet since authentication is working without additional setting
  2. User should not be prompted with -Credential parameter because it is not required for authentication

Screenshots & Console Output

New-PASSession : Cannot validate argument on parameter 'type'. The argument "PKIPN" does not belong to the set "CyberArk;LDAP;Windows;RADIUS;PKI" specified by the ValidateSet attribute. Supp
ly an argument that is in the set and then try the command again.
At line:14 char:54

  • New-PASSession -Credential $cred -BaseURI $url -type PKIPN -Certifica ...
    +                                                      ~~~~~
        + CategoryInfo          : InvalidData: (:) [New-PASSession], ParameterBindingValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationError,New-PASSession

image

Your Environment

  • PowerShell Version: 5.1.19041.2673
  • psPAS Version: 5.5.110
  • CyberArk Version: 13.0 PVWA

Thank you for consideration,
MarcGroot
@pspete
Copy link
Owner

pspete commented Apr 11, 2023

There is zero available documentation I can find on PKIPN authentication with the API.... and currently I have no suitable environment to investigate.
Can you share any example code (i.e. using Invoke-WebRequest, or InvokeRestMethod) which allows you to successfully authenticate using PKIPN in your environment?

@MarcGroot
Copy link
Author

MarcGroot commented Apr 13, 2023
edited
Loading

Dear pspete,

when i edited New-PASSesion to allow PKIPN and used this piece of code:
`Add-Type -AssemblyName System.Security

$MyCerts = [System.Security.Cryptography.X509Certificates.X509Certificate2[]](Get-ChildItem Cert:\CurrentUser\My)

$Cert = [System.Security.Cryptography.X509Certificates.X509Certificate2UI]::SelectFromCollection(
$MyCerts,
'Choose a certificate',
'Choose a certificate',
'SingleSelection'
) | select -First 1

New-PASSession -Credential $cred -BaseURI $url -type PKIPN -Certificate $Cert
Get-passession`

i get valid session. Server log looks like this:

2023-04-13 13:32:40 192.168.1.1 POST /PasswordVault/api/Auth/PKIPN/Logon - 443 - 10.1.1.1 Mozilla/x.x(Windows+NT;+Windows+NT+xx.x;+en-US)+WindowsPowerShell/xxxxxxxx.xxx.xx - 200 0 0 319

Also with InvokeRestMethod the authentication is successful:

`$url = "https://ServerName/PasswordVault/API/auth/PKIPN/Logon/"
Add-Type -AssemblyName System.Security

$MyCerts = [System.Security.Cryptography.X509Certificates.X509Certificate2[]](Get-ChildItem Cert:\CurrentUser\My)
$Cert = [System.Security.Cryptography.X509Certificates.X509Certificate2UI]::SelectFromCollection(
$MyCerts,
'Choose a certificate',
'Choose a certificate',
'SingleSelection'
) | select -First 1

$headers = @{
"Content-Type" = "application/json"
}

$response = Invoke-RestMethod -Uri $url -Method Post -Headers $headers -Certificate $Cert
$response`

image

Thank you,
MarcGroot

@pspete
Copy link
Owner

pspete commented Jun 10, 2023

Hi @MarcGroot

Can you please test the initial commit of the PKIPN authentication capability currently present in the pkipn branch?

If it works for you, we can promote into dev and get it into the next psPAS release :)

@MarcGroot
Copy link
Author

Hi @pspete

I've tried it and pkipn seems to work correctly, but it still requires -credential parameter. I am not sure whether this is not some dependency issue.

Thank you very much,
MarcGroot

@pspete
Copy link
Owner

pspete commented Jun 14, 2023

Thanks for confirming - will get this initial version of the capability included in the next release 🚀

Had made Credential optional (https://github.com/pspete/psPAS/blob/e1f27e8aab73de3f22716fad5b6581dc622a042b/psPAS/Functions/Authentication/New-PASSession.ps1#LL6C4-L6C23) - so odd that it still appears to be required - will look into it

@pspete pspete mentioned this issue Jun 14, 2023
Closed
@pspete pspete mentioned this issue Jul 30, 2023
Merged
17 tasks
@pspete
Copy link
Owner

pspete commented Jul 31, 2023

Now added in psPAS release 5.6.135

@pspete pspete closed this as completed Jul 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pspete @MarcGroot