This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Invoke-webrequest with other user credentials to access kerberos IIS Site

Question
0

Sign in to vote
Hi

System:

Using Powershell 5.0 on server 2012R2

What I want:

I want to access/load (from another server) a IIS site which is using kerberos authentication through PowerShell. I want to do this because I want the IIS Server that is hosting the site to add an Event Viewer 4624 Security message that tells me if I authenticated using Kerberos or not.

What Works:

I can remotely (from another domain joined server in PowerShell) access the site from a server via:

$SiteURL= "web.contoso.com" Invoke-WebRequest -Uri $SiteURL -SessionVariable websession -UseDefaultCredentials

Problem:

How can i run the same Invoke-WebRequest with another domain credential ($UseThisCredential)? Like so:

Invoke-WebRequest -Uri $SiteURL -Credential $UseThisCredential -SessionVariable websession

This gives me the error:

Invoke-WebRequest : 401 UNAUTHORIZED At line:1 char:2 + Invoke-WebRequest -Uri $SiteURL -Credential $UseThisCredential -Sess ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Any tips are welcome:-)

brgs

Bjørn
Sunday, August 26, 2018 8:20 PM

Answers

0

Sign in to vote
Hmm, Seems to be a second hop problem of delegating credentials. Being a SharePoint man i just thought about credssp authentication and Voila:

$OpenSiteBlock = { param($URL) Invoke-WebRequest -Uri $URL -SessionVariable websession -UseDefaultCredentials } Invoke-Command -ComputerName $ThisServer -ScriptBlock $OpenSiteBlock -Credential $UseThisCredential -ArgumentList $SiteURL -Authentication Credssp

Works like a charm.
- Marked as answer by Bjørn Roalkvam Sunday, August 26, 2018 8:24 PM
Sunday, August 26, 2018 8:23 PM

All replies

0

Sign in to vote
Hmm, Seems to be a second hop problem of delegating credentials. Being a SharePoint man i just thought about credssp authentication and Voila:

$OpenSiteBlock = { param($URL) Invoke-WebRequest -Uri $URL -SessionVariable websession -UseDefaultCredentials } Invoke-Command -ComputerName $ThisServer -ScriptBlock $OpenSiteBlock -Credential $UseThisCredential -ArgumentList $SiteURL -Authentication Credssp

Works like a charm.
- Marked as answer by Bjørn Roalkvam Sunday, August 26, 2018 8:24 PM
Sunday, August 26, 2018 8:23 PM
0

Sign in to vote

Contact the admins or the web site to learn how to use alternate credentials. Clearly the account does not have access to the web server.

There is no PowerShell solution to this. It is completely up to the web site you are trying to access.

\_(ツ)_/

Sunday, August 26, 2018 8:26 PM