Invoke-WebRequest from Power Shell returns Access Denied error

This topic contains 4 replies, has 3 voices, and was last updated by  postanote 4 months, 1 week ago.

  • Author
    Posts
  • #89528

    Curious Coder
    Participant

    I have a Power shell script where I invoke a HTTP web request and then parse the response body. On my local, the request is successful and I get an HTTP response code of 200.

    However on my windows server 2012, when I am firing the same request via power shell console, I get an exception as below. The url is accessible from browser on my local as well as the windows server.

    PS C:\> Invoke-WebRequest -URI https://testsite:8555/results.form
    Invoke-WebRequest : ERROR
    The requested URL could not be retrieved
    The following error was encountered while trying to retrieve the URL: testsite:8555
    Access Denied.
    Access control configuration prevents your request from being allowed at this time. Please contact your service
    provider if you feel this is incorrect.
    Your cache administrator is webmaster.
    Generated Mon, 18 Dec 2017 14:05:42 GMT by ip-10-160-129-105 (squid/3.5.20)
    At line:1 char:1
    + Invoke-WebRequest -URI https://testsite:8555/dmsl_monitor/results.form
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
       eption
        + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
    

    I have checked that No proxy is configured in my IE11 browser. Also I am in the administrator group and can invoke the PS script as an administrator.

  • #89537

    Don Jones
    Keymaster

    Keep in mind that when you remote to another machine, you're passing along a delegated security token. That token cannot, by default, be passed along BY the remote machine. So, you could be running into the "second hop" problem with remoting. It's hard to say for sure since a dozen things in your environment could be impacting that, but you've eliminated what I would say are the "basic" potential causes, and this is the one difference you've not covered.

    IE, for example, passes credentials along automatically. It could be that the website is configured to demand an identity, and you're transparently providing one in most of your scenarios, but you can't across the "second hop."

    • #89594

      Curious Coder
      Participant

      Thanks Don for the input.

      I tried passing credentials but still I am getting the same error as mentioned above.

      $user = "testuser"
      $password = ConvertTo-SecureString "testpassword" -AsPlaintext -Force
      $credential = New-Object PSCredential($user, $password)
      $credential = Get-Credential
      Invoke-WebRequest https://testsite:8555/results.form -Credential $credential
      
      Invoke-WebRequest : ERROR
      The requested URL could not be retrieved
      The following error was encountered while trying to retrieve the URL: testsite:8555
      Access Denied.
      Access control configuration prevents your request from being allowed at this time. Please contact your service
      provider if you feel this is incorrect.
      Your cache administrator is webmaster.
      Generated Tue, 19 Dec 2017 12:44:24 GMT by ip-10-160-131-38 (squid/3.5.20)
      At line:1 char:1
      + Invoke-WebRequest -URI https://testsite:8555/dmsl_monitor/results.form
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
         eption
          + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
      
      

      My windows server 2012 R2 is hosted on cloud and on a different domain where I have access to the url.

  • #89618

    Don Jones
    Keymaster

    It's something on the web server wanting some identification that your server can't present. Either different domain, IP restrictions, firewall, or something. It's not a PowerShell problem.

  • #89654

    postanote
    Participant

    Ditto on what DonJ is saying...

    My thoughts are as follows... full disclosure, all the below is assuming you are using IIS.

    Does you site directory have the proper ACL applied at the file system?
    Does you site have the proper mime types defined for what you are asking for?
    Does what you are trying o do require directory browsing to be enabled?
    What is the AppPool setting, meaning the site identity?
    Is you site set for Anonymous auth?
    Is your site set for Windows Auth and on what is the auth provider setting, FBA or left at the default of Kerberos/ntlm or was KCD implemented for the site?

You must be logged in to reply to this topic.