In our company we would like substitute system center orchestrator. Most of the Runbooks are calling powershell scripts. It looks like Universal Automation is a potential solution.
At the moment I struggling with the authentication.
I try to authenticate against the PowerShell Universal (1.1.0) running as a Windows service, so I can use the REST API to invoke scripts, monitor jobs etc. from other servers. But no luck so far. What I’m doing wrong. How can I achieve this?
API authentication is typically managed through app tokens. You can assign those in the UI or generate them with the PSU cmdlets. That said, you’ll need at least one app token to start using the API. This is how we do that in our tests.
I did try and still getting respons 401, have you been able to make some tests on your side?
I see in IIS logs that the request is done using the correct identity, but still getting a 401. Form authentication is based on this configuration but nothing shows up in the logs that are supposed to be generated by the authentication.
It looks like something isn’t right. What I’m seeing is that the authorization policies aren’t running correctly for Windows auth. I can login but it looks like I don’t have a role assigned and that’s probably why you are still seeing a 401. I’ll see if I can figure it out.
EDIT: They are running, I guess but something else is going on. Trying to get to the bottom of it…
I thought that it may comes from the policies but, tbh I’m not 100% sure about how the policies works yet so I didn’t want to finger point in that direction right away. IIS logs are telling that the user account that is doing the query is the correct one, I did try with postman as well but still no luck
if you want me to do some more testing or testing something in particular feel free to let me know.
The policies are very similar to UD authorization policies where you receive information about the user and need to return $true or $false based on that user’s info. This results in a list of roles assigned to the user based on which policy was successful. By default, users will have all roles.
It looks like it’s correctly evaluating the policies but the user’s roles are not being persisted for some reason. I’ll try to get to the bottom of it today with a fix in tonight’s nightly release for you to give a shot.
@Speegel, I’ve been working on an API for the past week or so, and I’m just now downloading the nightly to try to utilize the Upload/Download functionality. (I have a pretty lightweight workaround for file upload if you have control of both sides and are using PowerShell on both sides using ByteStreams and JSON.)
As for permissions, I noticed you’re using -UseDefaultCredentials, have you created an identity for, and set the appropriate role of whatever user you’re running the client PowerShell instance as?
I’m using Windows Auth, which gets a little fuzzy, but don’t seem to have any issues with 401 errors when everything is configured properly in terms of roles and such (and web.config/appsettings.json)