epv-api-scripts icon indicating copy to clipboard operation
epv-api-scripts copied to clipboard

Published 20 hours ago verified publisher icon cyberark

AOU - OTP Property Assignment Exception

Open pgnhdcrt opened this issue 3 years ago • 2 comments

Summary

When attempting to perform RADIUS authentication using an OTP, Accounts_Onboard_Utility.ps1 fails at line 1047 (in Function Get-LogonHeader) when attempting to modify hash value $logonBody.Password, but $logonBody was converted to a scalar back at line 1042...

Suggested solution is to remove the ConvertTo-Json calls at 1042 and 1044, then add it as part of Invoke-Rest at line 1052:

If ($concurrentSession){
		$logonBody = @{ username=$Credentials.username.Replace('\','');password=$Credentials.GetNetworkCredential().password;concurrentSession="true"}# | ConvertTo-Json -Compress
	} else {
		$logonBody = @{ username=$Credentials.username.Replace('\','');password=$Credentials.GetNetworkCredential().password }# | ConvertTo-Json -Compress
	}
	If(![string]::IsNullOrEmpty($RadiusOTP)) {
		$logonBody.Password += ",$RadiusOTP"
	}
	
	try{
		# Logon
		$logonToken = Invoke-Rest -Command Post -Uri $URL_Logon -Body ($logonBody | ConvertTo-Json -Compress)

Steps to Reproduce

  1. Call the script with -AuthType radius -OTP xxx
  2. See the error

Expected Results

OTP value is properly appended to the Password property, script continues.

Actual Results

The property 'Password' cannot be found on this object. Verify that the property exists 
and can be set.
At C:\TEMP\CyArk\Accounts_Onboard_Utility.ps1:1047 char:3
+         $logonBody.Password += ",$RadiusOTP"
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : PropertyAssignmentException

Reproducible

  • [X] Always
  • [ ] Sometimes
  • [ ] Non-Reproducible

Version/Tag number

Script date 2022-MAR-09

pgnhdcrt avatar Mar 14 '22 22:03 pgnhdcrt

Does this occur when a account only uses OTP and no password? If only OTP is in use the OTP token should be passed at the password. Can you confirm if this flow works?

bab29 avatar Jul 21 '22 16:07 bab29

@bab29 I have reported the same issue, I just realized mine is a duplicate. I tried searching, but not often working with GitHub, so my apologies for this.

OTP alone should not work, as in case password will be empty, the resulting OTP string will be ",123456" - which shouldn't work as it contains coma.

Ross-Y avatar Oct 10 '22 14:10 Ross-Y