401 issue when running PS script

andrzej_kubera · 9 May 2016 11:47

Hello

We’re having a bit of an issue when trying to run below PS script through octo steps:

This step is supposed to disable the server through KEMP API url

$uri = “https://bal:xxxx@10.252.20.5/access/modrs?vs=10.252.20.12&port=80&prot=tcp&rs=10.252.20.188&rsport=80&enable=n”
$secpasswd = ConvertTo-SecureString “xxxx” -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential (“bal”, $secpasswd)

[System.Net.ServicePointManager]::Expect100Continue = $true
[System.Net.ServicePointManager]::MaxServicePointIdleTime = 10000
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$request = [System.Net.HttpWebRequest]::Create($uri)
$request.Credentials = $mycreds

$response = $request.GetResponse()

When execuded through PS console on the target server it works flawlessly (logged in with octopus service account we are using in tentacle and server services). When run through octo it fails with :

Windows PowerShell transcript end
End time: 20160509104029

Windows PowerShell transcript start
Start time: 20160509121525
Username: WINTECH\sa_OctopusDeploy
RunAs User: WINTECH\sa_OctopusDeploy
Machine: UK-DEPLOY02 (Microsoft Windows NT 6.3.9600.0)
Host Application: C:\Windows\system32\WindowsPowershell\v1.0\PowerShell.exe -NoLogo -ExecutionPolicy Unrestricted -Command . {. ‘C:\Octopus\Work\20160509111522-8\Bootstrap.Script.ps1’; if ((test-path variable:global:lastexitcode)) { exit $LastExitCode }}
Process ID: 6212

Transcript started, output file is c:\kemp\log01.txt

PS>TerminatingError(): “Exception calling “GetResponse” with “0” argument(s): “The remote server returned an error: (401) Unauthorized.””

TerminatingError(): “Exception calling “GetResponse” with “0” argument(s): “The remote server returned an error: (401) Unauthorized.””
TerminatingError(): “Exception calling “GetResponse” with “0” argument(s): “The remote server returned an error: (401) Unauthorized.””
TerminatingError(): “Exception calling “GetResponse” with “0” argument(s): “The remote server returned an error: (401) Unauthorized.””
Exception calling “GetResponse” with “0” argument(s): “The remote server returned an error: (401) Unauthorized.”
Exception calling “GetResponse” with “0” argument(s): “The remote server returned an error: (401) Unauthorized.”
At C:\Octopus\Work\20160509111522-8\Script.ps1:12 char:1

$response = $request.GetResponse()

  + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordException
  + FullyQualifiedErrorId : WebException

PS>$global:?
False

Windows PowerShell transcript end
End time: 20160509121525

I’m running out of ideas what could be causing this issue. Any input would be greatly appreciated.

Thanks,
Andrzej

Dalmiro · 9 May 2016 20:02

Hi Andrzej,

Thanks for reaching out. The context on which you execute the scripts can sometimes lead to hard-to-troubleshoot situations such as this one.

What I would do in your case is setup fiddler on the machine running this API call, and check the headers of the POST message to see what is your script actually sending to the API endpoint. From there you should be able to figure out which part of the script is not quite working (apparently it has something to do with the way the credential are being declared?)

Let me know if you find something by inspecting the API call.

Thanks,
Dalmiro

andrzej_kubera · 10 May 2016 08:04

Hi Dalmiro

Thank you for the input, however the problem does not lie with the script as when it’s executed locally on the octopus server (target server for this script to run at) under sa_OctopusDeploy account, it runs as expected, but when the same script is run through octo during deployment step it fails with 401.
The account running the tentacle is the same account that octo is using to perform any tasks and has been added to the admin group on the target server. Hence it’s quite mysterious as to when permissions are still lacking to perform this operation.

What exactly is the different between powershell bootstrap used by octo and opening up powershell command prompt directly on the server? clearly some permissions are being applied during octo deployment.

Andrzej

andrzej_kubera · 10 May 2016 08:26

Just quickly to add, the 401 is not connected to the script connecting to the API but octopus trying to invoke script on target server as there are no outgoing connections from it during the deployment. The script simply fails to be executed when triggered as a step in octo.

andrzej_kubera · 10 May 2016 09:52

After further testing it seems it’s not exactly the moment of deployment that fails but the credentials in my creds are being encoded to a format that GetResponse is failing to authenticate against.

The strange thing is that it works fine when you run it in powershell prompt line by line but the moment yo put it in the ps1 file it fails. Somehow the prompt is able to encode the string properly while execution from from ps1 fails.

Back to the drawing board i guess. Thanks for the input.

Andrzej