Using Web Services with Windows Authentication (PowerShell)

Root > Secret Server > API - Web Services
Note: This KB article applies to Secret Server version 7.0.000039 and later. Windows Authentication will not work on Web Services for previous versions. Also, this will only work if Secret Server is installed on IIS 7 or greater.
To enable Windows Authentication on Web Services

1. Open Internet Information Services Manager (start->run->inetmgr).
2. Expand the "Sites" node until you locate your Secret Server application or Web Site
3. Expand the Secret Server node and locate the winauthwebservices folder.
4. Click on the winauthwebservices folder, and then click on "authentication" in the Security section.
5. Disable "Anonymous Authentication" and enable "Windows Authentication." (If you are using IIS7 or greater and do not see this option, it will need to be added through the server roles (web server). IIS may give an alert about using both challenge and redirect-based authentication, which can be ignored)
6. Give read access to the winauthwebservices folder in Windows Explorer to the domain users and groups that will be using Windows Authentication to access the Web Services.

The Web Service URL for Windows Authentication is <Secret Server URL>/winauthwebservices/sswinauthwebservice.asmx.
# Sample Powershell Script
# demonstrating retrieval of a Secret from Secret Server
# via web service protected by Windows Authentication 

$where = 'http://mysecretserver/winauthwebservices/sswinauthwebservice.asmx'
$secretId = 1
$ws = New-WebServiceProxy -uri $where -UseDefaultCredential 
$wsResult = $ws.GetSecret($secretId, $false, $null)
if ($wsResult.Errors.length -gt 0){


Add Feedback
Powershell Script to retrieve user account info or PS Credential object. Paste in file, update default URL and call file Get-SSPSCredential.ps1 <# .Synopsis Get PS Credential from Secret Server .DESCRIPTION Uses the Secret Server webservice to create a PSCredential based on a "secret name" .EXAMPLE $cred = Get-SSPSCredential "iisAppPool" .EXAMPLE $ClearCred = Get-SSPSCredential 'web login' -clear -url 'http://yourserver/SecretServer/winauthwebservices/sswinauthwebservice.asmx' #> [CmdletBinding()] Param ( # The Secret Name [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, Position=0)] $Secret, #Url of your Secret Server [string] $URL = "http://yourserver/SecretServer/winauthwebservices/sswinauthwebservice.asmx", #Clear text return [switch] $Clear ) $proxy = New-WebServiceProxy $url -UseDefaultCredential $id = $proxy.SearchSecrets($Secret).secretsummaries.secretid ##add more error checking if($id){ $hash = @{} $sec = $proxy.GetSecret($id).secret.items | %{$hash.add($_.fieldname,$_.value)} $secpass = ConvertTo-SecureString $hash.password -AsPlainText -Force $user = "$($hash.domain)\$($hash.username)" if($clear) { new-object psobject -Property $hash } else { New-Object System.Management.Automation.PSCredential ($user, $secpass) } } else { write-error "SECRET NOT FOUND" }
Justin Rich (February 8, 2013 at 11:37 AM)
Tried this and receive error:
Exception calling "GetSecret" with "3" argument(s): "The request failed with HTTP status 401: Unauthorized."
At line:1 char:1
+ $wsResult = $ws.GetSecret($secretId, $false, $null)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException

Any ideas where else to check?

Kyle Hetherington (November 13 at 10:09 AM)

Add Feedback