Using Webservices with IWA via PowerShell

Overview

You can enable webservices at Admin > Configuration on the General tab. Checking the Enable Webservices check box makes the ASP.NET SOAP and REST webservices built into Verify Privilege Vault available for use. Additional steps are needed in IIS to ensure proper access.

Integrated Windows Authentication (IWA) does not work on Verify Privilege Vault Cloud.
This procedure only works if Verify Privilege Vault on-premises is installed on IIS 7 or greater.

Procedure

To enable IWA for webservices in IIS:

  1. Open IIS Manager (inetmgr).

  2. Expand the Sites node until you locate your Verify Privilege Vault application or website

  3. Expand the Verify Privilege Vault node to locate the winauthwebservices folder.

  4. Click on the winauthwebservices folder.

  5. Click on authentication in the Security section.

  6. Disable Anonymous Authentication.

  7. Enable Windows Authentication.

    If you are using IIS7 or greater and do not see this option, the option will need to be added through the server roles (webserver). IIS may give an alert about using both challenge and redirect-based authentication, which you can ignore.)

  8. Open Windows Explorer.

  9. Navigate to the winauthwebservices folder.

  10. Give read access to the winauthwebservices folder to the domain users and groups that will be using IWA to access the webservices.

Access Examples

SOAP

The SOAP web service URL for IWA is <Verify Privilege Vault URL>/winauthwebservices/sswinauthwebservice.asmx.

Example script:

Copy 
# Sample Powershell Script
# demonstrating retrieval of a Secret from <span class="mc-variable global-vars.SecretServer variable">Verify Privilege Vault</span>
# via web service protected by IWA

$where = 'http://mysecretserver/winauthwebservices/sswinauthwebservice.asmx';
$secretId = 1
$ws = New-WebServiceProxy -uri $where -UseDefaultCredential
$wsResult = $ws.GetSecret($secretId, $false, $null)
if ($wsResult.Errors.length -gt 0){
    $wsResult.Errors[0]
}
else
{
    $wsResult.Secret
}

REST

REST web service references the same winauthwebservices folder as SOAP when doing IWA, but in code the URL endpoint does not need to change.

Example script:

Copy 
# Sample Powershell Script
# demonstrating authentication via web service protected by IWA

$api = 'http://mysecretserver/winauthwebservices/api/v1';
$endpoint = $api'/secrets/3844'
$secret = Invoke-RestMethod $endpoint -UseDefaultCredentials