Hi
In our company we would like substitute system center orchestrator. Most of the Runbooks are calling powershell scripts. It looks like Universal Automation is a potential solution.
At the moment I struggling with the authentication.
I try to authenticate against the PowerShell Universal (1.1.0) running as a Windows service, so I can use the REST API to invoke scripts, monitor jobs etc. from other servers. But no luck so far. What I’m doing wrong. How can I achieve this?
regards
Hey @viscop,
API authentication is typically managed through app tokens. You can assign those in the UI or generate them with the PSU cmdlets. That said, you’ll need at least one app token to start using the API. This is how we do that in our tests.
Invoke-WebRequest "$Address/api/v1/signin" -Method Post -Body (@{ username = 'admin'; password = '1234' } | ConvertTo-Json) -SessionVariable 'PUWS' -ContentType 'application/json' | out-null
$AppToken = (Invoke-WebRequest "$Address/api/v1/apptoken/grant" -WebSession $PUWS).Content | ConvertFrom-Json
Connect-UAServer -ComputerName $Address -AppToken $AppToken.Token
Once you have the token, you can either use the Universal cmdlets directly or use the Authorization header in an HTTP web request.
If you have configured a different authentication method for your PSU server, the first time login code will be different so please let me know and I can help make sure you can get logged in.
Hi adam
Thanks a lot for your support! It works great. I use it this way for example:
header = @{Authorization="Bearer ($AppToken.token)"; “Content-Type”=“application/json”}
$stat = Invoke-RestMethod -Uri http://server:5000/api/v1/job/1/log -Headers $header
btw: Is there a documentation about the available REST methods?
We don’t have the REST API documented at the moment. We’ll be exposing Swagger documentation in the next version (1.2).
Hey @adam,
is there any plans for the /api/v1/signin to support the -UseDefaultCredentials param from Invoke-Restmethod or Invoke-WebRequest if hosted on IIS with ADAuthentication?
Can you call the other API endpoints without calling signin first? It should perform the windows auth then. Just a guess. I should have some time to configure and try this later.
Invoke-WebRequest http://localhost/api/v1/script -UseDefaultCredentials
Hi @adam,
I did try and still getting respons 401, have you been able to make some tests on your side?
I see in IIS logs that the request is done using the correct identity, but still getting a 401. Form authentication is based on this configuration but nothing shows up in the logs that are supposed to be generated by the authentication.
It looks like something isn’t right. What I’m seeing is that the authorization policies aren’t running correctly for Windows auth. I can login but it looks like I don’t have a role assigned and that’s probably why you are still seeing a 401. I’ll see if I can figure it out.
EDIT: They are running, I guess but something else is going on. Trying to get to the bottom of it…
I thought that it may comes from the policies but, tbh I’m not 100% sure about how the policies works yet so I didn’t want to finger point in that direction right away. IIS logs are telling that the user account that is doing the query is the correct one, I did try with postman as well but still no luck
if you want me to do some more testing or testing something in particular feel free to let me know.
The policies are very similar to UD authorization policies where you receive information about the user and need to return $true or $false based on that user’s info. This results in a list of roles assigned to the user based on which policy was successful. By default, users will have all roles.
It looks like it’s correctly evaluating the policies but the user’s roles are not being persisted for some reason. I’ll try to get to the bottom of it today with a fix in tonight’s nightly release for you to give a shot.
I got this working. There were actually a couple problems that I had to iron out but it’s looking good now. Tonight’s nightly build of 1.3 will have this fix in it.
PS C:\Users\adamr> iwr http://localhost:82/test -UseDefaultCredentials -AllowUnencryptedAuthentication
StatusCode : 200
StatusDescription : OK
Content : # Enter your script to process requests.
RawContent : HTTP/1.1 200 OK
Cache-Control: no-cache
Transfer-Encoding: chunked
Server: Kestrel
Persistent-Auth: true
WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAADSBAwDdEgBJwAAAAA=
Date: Tue, 30 Jun 20…
Headers : {[Cache-Control, System.String[]], [Transfer-Encoding, System.String[]], [Server,
System.String[]], [Persistent-Auth, System.String[]]…}
Images : {}
InputFields : {}
Links : {}
RawContentLength : 40
RelationLink : {}
PS C:\Users\adamr> iwr http://localhost:82/test
Invoke-WebRequest:
IIS 10.0 Detailed Error - 401.2 - Unauthorized
Hey @adam, just downloaded the nightly 1.3.0 zip file, login pages shows up but the web site ain’t loading.
Any clue why?
Thx !
Can you look in your browser to see if there are any errors in the console (F12)?
Can you look in the logs folder to see if there are any errors in there? C:\ProgramData\PowerShellUniversal
I just downloaded the nightly zip from the website and it’s loading for me so maybe we have something environmental going on.
I just realized that the nightly is messed up. It’s not actually the latest build. Looking into it. I’ll publish a new nightly when it’s available.
Ok. The build publishing has been fixed: https://imsreleases.z19.web.core.windows.net/
Sorry about that.
Hey @adam,
I installed the new 1.3.0 nightly and it starts up nicely 
thx !
I did try again the following Invoke-RestMethod https://server.domain.local/user/12 -UseDefaultCredentials command and still get a 401.
have you done some tuning on your IIS ? I see the request coming in the logs [C:\ProgramData\PowerShellUniversal] .
Shall I uninstall and reinstall everythin from scratch or it won’t help?
Policies are still be default, so defined identities should get all roles as far as I understood.
Thanks in advance !
Hmmm. Let me give this a shot today and validate that everything is working as expected on my end again. I don’t have any weird stuff in my IIS configure that I’m aware of.
@Speegel, I’ve been working on an API for the past week or so, and I’m just now downloading the nightly to try to utilize the Upload/Download functionality. (I have a pretty lightweight workaround for file upload if you have control of both sides and are using PowerShell on both sides using ByteStreams and JSON.)
As for permissions, I noticed you’re using -UseDefaultCredentials, have you created an identity for, and set the appropriate role of whatever user you’re running the client PowerShell instance as?
I’m using Windows Auth, which gets a little fuzzy, but don’t seem to have any issues with 401 errors when everything is configured properly in terms of roles and such (and web.config/appsettings.json)