Maria Posted October 15, 2022 Share Posted October 15, 2022 Hello! I have installed Passwordstate using forms-based authentication. Later on, i have connected an AD domain. My question is the following: can i use the winapi with AD domain accounts for this type of installation? Note1: Using API keys works perfectly. Note2: If i try to use the winapi via Powershell with a domain account, i get a "You do not have permission to view this directory or page". Any advice would be useful. Thank you in advance. Link to comment Share on other sites More sharing options...
support Posted October 17, 2022 Share Posted October 17, 2022 Hi Maria, Unfortunately, the account that you are running the API script under must has an account in Passwordstate, and have permissions to the objects in Passwordstate it needs to query/modify. For this reason, the local account sin the FOrms based install won't work. You should be able to convert over your Forms Based install to an AD integrated one with this guide though, then the WinAPI should work: https://www.clickstudios.com.au/downloads/version9/Local_Logins_to_Active_Directory_Migration.pdf Regards, Support Link to comment Share on other sites More sharing options...
Maria Posted October 18, 2022 Author Share Posted October 18, 2022 First of all, thank you for your answer. I'm aware that WinAPI won't work for the local account. I was wondering if the AD users, from the trusted domain, can use the WinAPI. They have accounts in Passwordstate and they have permissions over the object. Yet, when i try to query for - let's say a Password List - using -UseDefaultCredentials on any AD user account (which has access to Passwordstate), i get this error: "You do not have permission to view this directory or page" Even if i specify the credentials, i get the same error. Thank you again for your support. Link to comment Share on other sites More sharing options...
support Posted October 19, 2022 Share Posted October 19, 2022 Hi Maria, Sorry I didn't ready your first message properly:( I've just tested this and it works well for me. I have Passwordstate installed on domain A, and have added a user from trusted Domain B into Passwordstate. I then logged into Passwordstate as that user, and created a shared Password List, with one password, so the user has Admin rights to that list. I then logged into a computer on Domain B as the test user, and ran the following script, which return info about the Password List I created (I put the certificate trust code at the top otherwise I was getting a different error) #----------------------------------------------------------------------------------------------- #Trust any Self-Signed Certificates which may be in use #----------------------------------------------------------------------------------------------- add-type @" using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; } } "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::TLS12 $PasswordstateUrl = 'https://passwordstateURL.clickdemo.com/winapi/passwordlists/7381' Invoke-Restmethod -Method GET -Uri $PasswordstateUrl -UseDefaultCredentials You mentioned you had permissions to the Object, but just want to confirm? Can you provide some example API code you are running, and I can test the exact code in our environment? Link to comment Share on other sites More sharing options...
Maria Posted October 19, 2022 Author Share Posted October 19, 2022 Hello and thank you for your help. I will provide you with the full context, because what i'm using here is dummy data. So the domain name is rts and the user rts\administrator is the Admin of the Shared Password List, as you can see below: The code that i'm running is a basic one, just trying to retrieve info on just this one Password List: $PasswordstateUrl = 'https://passwordstate/winapi/passwordlists/17' Invoke-Restmethod -Method GET -Uri $PasswordstateUrl -UseDefaultCredentials I'm logged in as this user on a machine in my domain. I don't have any cert issues, but i also tried your sample code and i get the same error. Thank you for your support once again. Link to comment Share on other sites More sharing options...
support Posted October 20, 2022 Share Posted October 20, 2022 Hi Maria, I could be wrong, but the account you are logged in as has a capital A in the Administrator name. This makes me think you are logged in as the server\administrator account, and not the rts\administrator account. Normally, domain accounts are all lower case in C:\users folder, and the Local Administrator account starts with a capital. Could you double check that and let me know if it helps? Regards, Support Link to comment Share on other sites More sharing options...
Maria Posted October 23, 2022 Author Share Posted October 23, 2022 I logged in using rts\administrator from another domain-joined computer. Now i get a 401 error: If i try to pass in the username and password, i get the same "You do not have permissions" error. Same for any other domain user. Below you can find the Winapi authentication settings in IIS: I double checked that all users are allowed to use Winapi (Feature Access - API) and that the user has permissions on the object that is requesting. What am i missing here? Thank you for your support. Link to comment Share on other sites More sharing options...
support Posted October 24, 2022 Share Posted October 24, 2022 Hi Maria, Could you please download and run the Powershell script in this forum post on your Passwordstate web server, and send us the results? https://forums.clickstudios.com.au/topic/2518-passwordstate-support-information-script/ When sending the results, please contact us via this support page: https://www.clickstudios.com.au/support.aspx We'll do a health check on your website, and if we find anything that will help with this, we'll let you know Regards, Support Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now