PSU 1.5.0 - Universal API Authentication issue

Product: PowerShell Universal - Universal API
Version: 1.5.0
Type: MSI Install

Good day!

I’ve got Windows Authentication setup for kestrel in appconfig.json and working in other components of PSU.

I’m having trouble getting Universal API endpoints to work with authentication.
I’ve got a simple test endpoint setup that returns $True with the below config:

Method: Get
Url: /test_windowsauth
Role: TestRole
Authentication: Enabled

I’m getting 401s on my requests. The log isn’t throwing any errors… the only odd thing that stands out is that the request starts twice: first without evaluating claims for the user, and second with evaluating claims.

PS >> irm -UseDefaultCredentials

2020-11-30T11:22:05.5924953-05:00 0HM4L9D8NKEKQ:00000001 [INF] Request starting HTTP/1.1 GET  0 (ca22a1cb)
2020-11-30T11:22:05.5928643-05:00 0HM4L9D8NKEKQ:00000001 [INF] AuthenticationScheme: "Negotiate" was challenged. (d45f1f38)
2020-11-30T11:22:05.5929931-05:00 0HM4L9D8NKEKQ:00000001 [INF] AuthenticationScheme: "Negotiate" was challenged. (d45f1f38)
2020-11-30T11:22:05.5930731-05:00 0HM4L9D8NKEKQ:00000001 [INF] Request finished in 0.608ms 401  (791a596a)
2020-11-30T11:22:05.5970182-05:00 0HM4L9D8NKEKQ:00000002 [INF] Request starting HTTP/1.1 GET  0 (ca22a1cb)
2020-11-30T11:22:05.5985338-05:00 0HM4L9D8NKEKQ:00000002 [INF] None (61c24651)
2020-11-30T11:22:05.5988295-05:00 0HM4L9D8NKEKQ:00000002 [INF] Evaluting claims for DOMAIN\USER123 (71bc73d4)
2020-11-30T11:22:05.6587115-05:00 0HM4L9D8NKEKQ:00000002 [INF] DOMAIN\USER123 is part of role Administrator (a51f0f8a)
2020-11-30T11:22:05.7566572-05:00 0HM4L9D8NKEKQ:00000002 [INF] DOMAIN\USER123 is part of role TestRole (61c7e190)
2020-11-30T11:22:05.8519287-05:00 0HM4L9D8NKEKQ:00000002 [INF] AuthenticationScheme: "Negotiate" was challenged. (d45f1f38)
2020-11-30T11:22:05.8520618-05:00 0HM4L9D8NKEKQ:00000002 [INF] AuthenticationScheme: "Negotiate" was challenged. (d45f1f38)
2020-11-30T11:22:05.8523359-05:00 0HM4L9D8NKEKQ:00000002 [INF] Request finished in 255.3125ms 401  (791a596a)

I can reproduce this issue. It works in IIS with Windows Auth but not with the MSI install. I’ll take a look to see if we can resolve this.

The reason you are seeing the request twice in the log is due to the negotiate challenge.

1 Like

This has been resolved in our main branch. It will be in tonight’s nightly build and version 1.5.4 of PSU.