locked
Invoke-webrequest with other user credentials to access kerberos IIS Site RRS feed

  • Question

  • Hi

    System:

    Using Powershell 5.0 on server 2012R2

    What I want:

    I want to access/load (from another server) a IIS site which is using kerberos authentication through PowerShell. I want to do this because I want the IIS Server that is hosting the site to add an Event Viewer 4624 Security message that tells me if I authenticated using Kerberos or not.

    What Works:

    I can remotely (from another domain joined server in PowerShell) access the site from a server via:

    $SiteURL= "web.contoso.com"
    
    Invoke-WebRequest -Uri $SiteURL -SessionVariable websession -UseDefaultCredentials

    Problem:

    How can i run the same Invoke-WebRequest with another domain credential ($UseThisCredential)? Like so:

     Invoke-WebRequest -Uri $SiteURL -Credential $UseThisCredential -SessionVariable websession

    This gives me the error:

    Invoke-WebRequest : 401 UNAUTHORIZED
    At line:1 char:2
    +  Invoke-WebRequest -Uri $SiteURL -Credential $UseThisCredential -Sess ...
    +  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
        + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

    Any tips are welcome:-)

    brgs

    Bjørn

    Sunday, August 26, 2018 8:20 PM

Answers

  • Hmm, Seems to be a second hop problem of delegating credentials. Being a SharePoint man i just thought about credssp authentication and Voila:

    $OpenSiteBlock = 
    {
        param($URL)
        Invoke-WebRequest -Uri $URL -SessionVariable websession -UseDefaultCredentials
    }
    Invoke-Command -ComputerName $ThisServer -ScriptBlock $OpenSiteBlock -Credential $UseThisCredential -ArgumentList $SiteURL -Authentication Credssp

    Works like a charm.

    Sunday, August 26, 2018 8:23 PM

All replies

  • Hmm, Seems to be a second hop problem of delegating credentials. Being a SharePoint man i just thought about credssp authentication and Voila:

    $OpenSiteBlock = 
    {
        param($URL)
        Invoke-WebRequest -Uri $URL -SessionVariable websession -UseDefaultCredentials
    }
    Invoke-Command -ComputerName $ThisServer -ScriptBlock $OpenSiteBlock -Credential $UseThisCredential -ArgumentList $SiteURL -Authentication Credssp

    Works like a charm.

    Sunday, August 26, 2018 8:23 PM
  • Contact the admins or the web site to learn how to use alternate credentials.  Clearly the account does not have access to the web server.

    There is no PowerShell solution to this.  It is completely up to the web site you are trying to access.


    \_(ツ)_/

    Sunday, August 26, 2018 8:26 PM