winapi for forms-based auth installation of passwordstate

[Maria]

Hello!

I have installed Passwordstate using forms-based authentication. Later on, i have connected an AD domain.

My question is the following: can i use the winapi with AD domain accounts for this type of installation?

 

Note1: Using API keys works perfectly.

Note2: If i try to use the winapi via Powershell with a domain account, i get a "You do not have permission to view this directory or page".

 

Any advice would be useful.

Thank you in advance.

 

[support]

Hi Maria,

 

Unfortunately, the account that you are running the API script under must has an account in Passwordstate, and have permissions to the objects in Passwordstate it needs to query/modify.  For this reason, the local account sin the FOrms based install won't work.

 

You should be able to convert over your Forms Based install to an AD integrated one with this guide though, then the WinAPI should work:  https://www.clickstudios.com.au/downloads/version9/Local_Logins_to_Active_Directory_Migration.pdf

 

Regards,

Support

 

 

[Maria]

First of all, thank you for your answer.

 

I'm aware that WinAPI won't work for the local account.

I was wondering if the AD users, from the trusted domain, can use the WinAPI. They have accounts in Passwordstate and they have permissions over the object.

Yet, when i try to query for - let's say a Password List - using -UseDefaultCredentials on any AD user account (which has access to Passwordstate), i get this error: "You do not have permission to view this directory or page"

Even if i specify the credentials, i get the same error.

 

Thank you again for your support.

[support]

Hi Maria,

 

Sorry I didn't ready your first message properly:(

 

I've just tested this and it works well for me.  I have Passwordstate installed on domain A, and have added a user from trusted Domain B into Passwordstate.  I then logged into Passwordstate as that user, and created a shared Password List, with one password, so the user has Admin rights to that list.  I then logged into a computer on Domain B as the test user, and ran the following script, which return info about the Password List I created (I put the certificate trust code at the top otherwise I was getting a different error)

 

#-----------------------------------------------------------------------------------------------

#Trust any Self-Signed Certificates which may be in use

#-----------------------------------------------------------------------------------------------

add-type @"

   using System.Net;

   using System.Security.Cryptography.X509Certificates;

   public class TrustAllCertsPolicy : ICertificatePolicy {

       public bool CheckValidationResult(

           ServicePoint srvPoint, X509Certificate certificate,

           WebRequest request, int certificateProblem) {

           return true;

       }

   }

"@

[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::TLS12

 

 

 

$PasswordstateUrl = 'https://passwordstateURL.clickdemo.com/winapi/passwordlists/7381'

   Invoke-Restmethod -Method GET -Uri $PasswordstateUrl -UseDefaultCredentials

 

 

You mentioned you had permissions to the Object, but just want to confirm?  Can you provide some example API code you are running, and I can test the exact code in our environment?

[Maria]

Hello and thank you for your help.

 

I will provide you with the full context, because what i'm using here is dummy data.

So the domain name is rts and the user rts\administrator is the Admin of the Shared Password List, as you can see below:

The code that i'm running is a basic one, just trying to retrieve info on just this one Password List:

 

$PasswordstateUrl = 'https://passwordstate/winapi/passwordlists/17'
Invoke-Restmethod -Method GET -Uri $PasswordstateUrl -UseDefaultCredentials

 

 

I'm logged in as this user on a machine in my domain.

 

I don't have any cert issues, but i also tried your sample code and i get the same error.

 

Thank you for your support once again.

 

 

 

[support]

Hi Maria,

 

I could be wrong, but the account you are logged in as has a capital A in the Administrator name.  This makes me think you are logged in as the server\administrator account, and not the rts\administrator account.  Normally, domain accounts are all lower case in C:\users folder, and the Local Administrator account starts with a capital.

 

Could you double check that and let me know if it helps?

 

Regards,

Support

[Maria]

I logged in using rts\administrator from another domain-joined computer. Now i get a 401 error:

If i try to pass in the username and password, i get the same "You do not have permissions" error.

Same for any other domain user.

 

Below you can find the Winapi authentication settings in IIS:

 

I double checked that all users are allowed to use Winapi (Feature Access - API) and that the user has permissions on the object that is requesting. What am i missing here?

 

Thank you for your support.

 

[support]

Hi Maria,

 

Could you please download and run the Powershell script in this forum post on your Passwordstate web server, and send us the results?  https://forums.clickstudios.com.au/topic/2518-passwordstate-support-information-script/

 

When sending the results, please contact us via this support page:  https://www.clickstudios.com.au/support.aspx

 

We'll do a health check on your website, and if we find anything that will help with this, we'll let you know

 

Regards,

Support