Using Web Services with Windows Authentication (PowerShell)

Note: This KB article applies to Secret Server version 7.0.000039 and later. Windows Authentication will not work on Web Services for previous versions. Also, this will only work if Secret Server is installed on IIS 7 or greater.

To enable Windows Authentication on Web Services:
1. Open Internet Information Services Manager (start->run->inetmgr).
2. Expand the "Sites" node until you locate your Secret Server application or Web Site
3. Expand the Secret Server node and locate the winauthwebservices folder.
4. Click on the winauthwebservices folder, and then click on "authentication" in the Security section.
5. Disable "Anonymous Authentication" and enable "Windows Authentication." (IIS may give an alert about using both challenge and redirect-based authentication, which can be ignored)
6. Give read access to the winauthwebservices folder in Windows Explorer to the domain users and groups that will be using Windows Authentication to access the Web Services.

The Web Service URL for Windows Authentication is <Secret Server URL>/winauthwebservices/sswinauthwebservice.asmx.


# Sample Powershell Script
# demonstrating retrieval of a Secret from Secret Server
# via web service protected by Windows Authentication 

$where = 'http://mysecretserver/winauthwebservices/sswinauthwebservice.asmx'
$secretId = 1
$ws = New-WebServiceProxy -uri $where -UseDefaultCredential 
$wsResult = $ws.GetSecret($secretId, $false, $null)
if ($wsResult.Errors.length -gt 0){

Article ID: 98, Created On: 7/22/2010, Modified: 8/23/2013

Feedback (1)

Justin Rich

Powershell Script to retrieve user account info or PS Credential object. Paste in file, update default URL and call file Get-SSPSCredential.ps1

Get PS Credential from Secret Server
Uses the Secret Server webservice to create a PSCredential based on a "secret name"
$cred = Get-SSPSCredential "iisAppPool"
$ClearCred = Get-SSPSCredential 'web login' -clear -url 'http://yourserver/SecretServer/winauthwebservices/sswinauthwebservice.asmx'


# The Secret Name
#Url of your Secret Server
[string] $URL = "http://yourserver/SecretServer/winauthwebservices/sswinauthwebservice.asmx",
#Clear text return
[switch] $Clear
$proxy = New-WebServiceProxy $url -UseDefaultCredential
$id = $proxy.SearchSecrets($Secret).secretsummaries.secretid
##add more error checking

$hash = @{}
$sec = $proxy.GetSecret($id).secret.items | %{$hash.add($_.fieldname,$_.value)}
$secpass = ConvertTo-SecureString $hash.password -AsPlainText -Force
$user = "$($hash.domain)\$($hash.username)"

new-object psobject -Property $hash
New-Object System.Management.Automation.PSCredential ($user, $secpass)
write-error "SECRET NOT FOUND"

2/8/2013 at 4:37 PM