ISPSS New-PASSession returns a session but none of the cmdlets work

[walidhammad]

Describe the issue
While the new module update to include ISPSS seems to connect, I cannot access any of the cmdlets results.

To Reproduce
Installing the module
Connecting to ISPSS using service account
Running cmdlets

Expected behavior
I expect to be able to get results for any of the cmdlets of this module.

$ get-module pspas -ListAvailable

$ install-module pspas -RequiredVersion 5.5.110

$ get-module pspas -ListAvailable

    Directory: xxxxxxx

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Script     5.5.110               psPAS                               Desk      {New-PASSession, Close-PASSession, Add-PASPublicSSHKey, Get-PASPublicSSHKey…}


$ $pcloudlogin = Get-Credential -UserName xxxxx@xxxxxxxxx

PowerShell credential request
Enter your credentials.
Password for user xxxxx@xxxxxxxxx: ****************************************


$ New-PASSession -TenantSubdomain xxxxxxx -Credential $pcloudlogin -Verbose
VERBOSE: Performing the operation "Logon" on target "https://xxxxxxx.id.cyberark.cloud/oauth2/platformtoken".
VERBOSE: HTTP/1.1 POST with 141-byte payload
VERBOSE: received 2120-byte response of content type application/json
VERBOSE: HTTP/1.1 GET with 0-byte payload

$ Get-PASSession

User BaseURI                                                     ExternalVersion WebSession
---- -------                                                     --------------- ----------
     https://xxxxxxx.privilegecloud.cyberark.cloud/PasswordVault 0.0             Microsoft.PowerShell.Commands.WebRequestSession

$ Get-PASServer
Invoke-PASRestMethod:
Line |
  14 |  …   $result = Invoke-PASRestMethod -Uri $URI -Method GET -WebSession $S …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | No such host is known.

$ Get-PASLoggedOnUser
Invoke-PASRestMethod:
Line |
  16 |  …   $result = Invoke-PASRestMethod -Uri $URI -Method GET -WebSession $S …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | No such host is known.

$ Get-PASSafe
Invoke-PASRestMethod:
Line |
 230 |  …   $result = Invoke-PASRestMethod -Uri $URI -Method GET -WebSession $S …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | No such host is known.

$ Get-PASComponentSummary
Invoke-PASRestMethod:
Line |
  18 |  …   $result = Invoke-PASRestMethod -Uri $URI -Method GET -WebSession $S …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | No such host is known.

$ Get-PASAccount
Invoke-PASRestMethod:
Line |
 197 |  …   $result = Invoke-PASRestMethod -Uri $URI -Method GET -WebSession $S …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | No such host is known.

Your Environment
Windows:
Name Value

---

PSVersion 7.3.3
PSEdition Core
GitCommitId 7.3.3
OS Microsoft Windows 10.0.22621
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Mac:
Name Value

---

PSVersion 7.3.3
PSEdition Core
GitCommitId 7.3.3
OS Darwin 22.3.0 Darwin Kernel Version 22.3.0: Mon Jan 30 20:38:37 PST 2023; root:xnu-8792.81.3~2/RELEASE_ARM64_T60…
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

• PowerShell Version: 7.3.3
• psPAS Version: 5.5.110
• CyberArk Version: ISPSS 13.0

Additional context
Add any other context about the problem here.

[walidhammad]

I can still connect with older module + issue#402 work around and do everything I need

$ Get-PASSession

User                     BaseURI                                                       ExternalVersion WebSession
----                     -------                                                       --------------- ----------
xxxxx@xxxxxxxxx https://xxxxxxxx.privilegecloud.cyberark.cloud/PasswordVault 13.0.0          Microsoft.PowerShell.Commands.WebRequestSession

$ Get-PASServer 

ExternalVersion InternalVersion ServerName
--------------- --------------- ----------
13.0.0          13.0.0.9        Vault

$ Get-PASLoggedOnUser

AgentUser    : False
Disabled     : False
Email        : 
Expired      : False
ExpiryDate   : 
FirstName    : Privilege
LastName     : user
Location     : \
Source       : Internal
Suspended    : False
UserName     : xxxxx@xxxxxxxxx
UserTypeName : EPVUser

[pspete]

It would be expected for both a username & the version information to be included in the get-passession output...

If the "WebSession" object is examined, does it include a bearer token?

PS C:\Users\petem> Get-PASSession | Select -ExpandProperty WebSession | select -ExpandProperty Headers

Key           Value                                                                                                                                                                                                    
---           -----                                                                                                                                                                                                    
Authorization Bearer SomeLongStringSomeLongStringSomeLongStringSomeLongStringSomeLongString...

[walidhammad]

Yes

Get-PASSession | Select -ExpandProperty WebSession | select -ExpandProperty Headers

Key           Value
---           -----
Authorization Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjRBOTJBRkUxRjIxMkZCQTJEN0M2MDg4NjE3N0ZGRTMxNEZCMkE1QTgiLCJ4NXQiOiJTcEt2NGZJUy…

[pspete]

is the https://xxxxxxx.privilegecloud.cyberark.cloud/PasswordVault value from Get-PASSession as expected?

does it match the value you see when using the issue #402 workaround?

[pspete]

Yes

Get-PASSession | Select -ExpandProperty WebSession | select -ExpandProperty Headers

Key           Value
---           -----
Authorization Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjRBOTJBRkUxRjIxMkZCQTJEN0M2MDg4NjE3N0ZGRTMxNEZCMkE1QTgiLCJ4NXQiOiJTcEt2NGZJUy…

Can you see if the Bearer token is able to be used outside of the module?
Like described here: #464 (comment)

[walidhammad]

is the https://xxxxxxx.privilegecloud.cyberark.cloud/PasswordVault value from Get-PASSession as expected?

does it match the value you see when using the issue #402 workaround?

No, the xxxxxxx returned is the identity tenant, which is in https://xxxxxxx.id.cyberark.cloud/oauth2/platformtoken instead of the privilege cloud pvwa name https://xyz.privilegecloud.cyberark.cloud/PasswordVault

[walidhammad]

Yes

Get-PASSession | Select -ExpandProperty WebSession | select -ExpandProperty Headers

Key           Value
---           -----
Authorization Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjRBOTJBRkUxRjIxMkZCQTJEN0M2MDg4NjE3N0ZGRTMxNEZCMkE1QTgiLCJ4NXQiOiJTcEt2NGZJUy…

Can you see if the Bearer token is able to be used outside of the module? Like described here: #464 (comment)

I can by replacing baseurl with https://xyz.privilegecloud.cyberark.cloud/PasswordVault instead of https://xxxxxxx.privilegecloud.cyberark.cloud/PasswordVault and it returns users.

[pspete]

OK, so your scenario is that the Identity & Privilege Cloud subtenant names are different?
Will investigate how to cater for this.

[bab29]

@pspete The URL that is used for "Identity" (Authentication, user updates, etc) operations will always go to a URL that uses "????.my.idaptive.app" (???? Assigned by CyberArk) while any operation that goes to a "PCloud" (Accounts, Safes, Ownership, etc) will go to the "{subdomain}.id.cyberark.cloud" (Subdomain chosen by the tenant)

This line is using a incorrect URL
New-PASSession.ps1
$LogonRequest['Uri'] = "https://${TenantSubdomain}.id.cyberark.cloud/oauth2/platformtoken"

This line needs to be updated to use the "Identity" tenant then the code should work.

Suggestion:

New-PASSession.ps1
[Parameter(Mandatory = $true, ValueFromPipeline = $false, ValueFromPipelinebyPropertyName = $true, ParameterSetName = 'SharedServices')] [string]$IdentityID,

$LogonRequest['Uri'] = "https://${IdentityID}.id.cyberark.cloud/oauth2/platformtoken"

Note that $Uri being set is correct and should use the TenantSubdomain, it is just the oauth token request that needs to go to the "Identity" Uri

New-PASSession.ps1
$Uri = "https://${TenantSubdomain}.privilegecloud.cyberark.cloud/$PVWAAppName"

[pspete]

1st generation URLs (like ????.my.idaptive.app) are not yet catered for in the module, we currently assume the URL for current day systems.
{subdomain} can be configured as a tenant URL for the Identity portal, which should allow authentication to proceed.

Nevertheless, will work to add some additional logic into the module to cater for different configurations.

[pspete]

It si expected that most Shared Services implementations will be configured so that Identity and Privileged Cloud portal addresses share a common subdomain.

Where this is not the case, and Identity and Privilege Cloud portals do not share an identical subdomain, in the latest psPAS release 5.6.135, subdomain values or portal URL values can be specified independently: https://pspas.pspete.dev/docs/authentication/#shared-services-authentication

[walidhammad]

1st generation URLs (like ????.my.idaptive.app) are not yet catered for in the module, we currently assume the URL for current day systems. {subdomain} can be configured as a tenant URL for the Identity portal, which should allow authentication to proceed.

Nevertheless, will work to add some additional logic into the module to cater for different configurations.

Thank you! The last release works by giving me the options to specify identitysubdomain and tenantsubdomain.

The reason we cannot have them be the same is due to it being Identity Security Platform tenant which makes identitysubdomain a pre generated string

[pspete]

Great it works for you.
I Don't think a custom domain/ vanity URL is the same thing as a Tenant subdomain.

The process for adding a custom domain is a lot more involved than adding a subdomain.

[walidhammad]

I Don't think a custom domain/ vanity URL is the same thing as a Tenant subdomain.

It is

https://docs.cyberark.com/Idaptive/Latest/en/Content/GetStarted/CustomDomain.htm