Author Posts

October 17, 2017 at 11:49 am

A little background...we have a PAM (privileged access management) solution called Cyberark that rotates our admin credentials and provides a secure portal for RDP, SSH etc. I am programmatically trying to check out the password through the rest request and pass those creds into the custom PS object so I can log into O365.

$url = "https://cyberark/vault/mycredslocation"
$response = Invoke-RestMethod -uri $url

$password = ConvertTo-SecureString $response.content -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential($response.UserName + "@domain.com", $password)

Set-ExecutionPolicy RemoteSigned

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/?proxymethod=rps -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber

Error message is:
New-PSSession : The WinRM client cannot process the request. Requests must include user name and password when Basic or Digest authentication mechanism is used. Add the user name and password or change the
authentication mechanism and try the request again.
At C:\Scripts\users\aim2.ps1:13 char:12
+ $Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (https://outlook...proxymethod=rps:Uri) [New-PSSession], PSInvalidOperationException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed,Microsoft.PowerShell.Commands.NewPSSessionCommand

Import-PSSession : Cannot validate argument on parameter 'Session'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At C:\Scripts\users\aim2.ps1:14 char:18
+ Import-PSSession $Session -AllowClobber
+ ~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Import-PSSession], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.ImportPSSessionCommand

I have tried the different types of authentication mechanisms and still get various errors. I have verified the proper username and password are being checked out. I have also used this code to connect to other servers and it works fine.

October 17, 2017 at 11:53 am

I tried the other various O365 services (connect-msol, and skype) and got this error with Skype:
You must specify a user principal name in the format of User@Domain.Com.

So this might be an issue with the way I am appending the domain name to the username

October 17, 2017 at 1:48 pm

I think you're right in regards to the username build. I would check the value of your "$cred" variable to confirm what is actually being passed through. Additionally, it may help to separate the build:

$url = "https://cyberark/vault/mycredslocation"
$response = Invoke-RestMethod -uri $url

$password = ConvertTo-SecureString $response.content -AsPlainText -Force
$username = "$($response.username)@domain.com"

$cred = New-Object System.Management.Automation.PSCredential($username, $password)

October 17, 2017 at 4:53 pm

That worked!

Can you explain to me what the $ in front of "$($response.username)@domain.com" is?

October 17, 2017 at 6:49 pm

In this case, the first "$" is being used as part of a sub-expression operator that allows us to define the expanded string that is '$response.username'+ '@domain'. I like to think of it like defining a new variable made up of multiple parts. Here is some more info about it:

PowerShell: Using Subexpressions Within Strings