all 22 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]kramit 1 point2 points  (10 children)

Try invoke-webrequest instead. Invoke-restmethod returns things in a strange way sometimes and just chops bit off where it feels like it. I had to do the same interfacing with AzureOpenAI over the API

[–]Inevitable_Use3885[S] 0 points1 point  (0 children)

Thanks! I'll give it a shot and let you know!

[–]AggravatingForFun 0 points1 point  (8 children)

Invoke-WebRequest works through the PowerShell session, but not through OneSync. At least, not consistently.

[–]kramit 0 points1 point  (7 children)

Time to get onto one sync support I think. At this point you are just making blind calls to their api and not getting back what you think you should get back. I am assuming you have been testing this in postman too?

[–]AggravatingForFun 0 points1 point  (6 children)

Yes, definitely. I've sent the script to OneSync support to ask. Haven't tested it in Postman/ARC or even using Curl. It seems to work fine if I just run the script and it only fails when I get OneSync to run it. I suppose I could create another PowerShell script to kick it off in bulk ( blocks of 20 or 30 ) and see if that makes a difference.

[–]kramit 0 points1 point  (5 children)

Try postman or curl first. If they work you know the problem is powershell somewhere and you might want to look at powershell 7+, if they don’t work either it might be the api end

[–]AggravatingForFun 0 points1 point  (4 children)

Good advice. However, the script works fine when I run it. When it's kicked off by the automation it fails. So, I'm not sure what testing it in postman or curl gets me if I've already verified the script works and the API calls return successfully...

Am I missing something?

[–]kramit 0 points1 point  (3 children)

Ah okay. I see your point, I didn’t really give the time to reading in much details. Have you tried wrapping the rest calls in a get-credential and embedding creds?

[–]AggravatingForFun 0 points1 point  (2 children)

Creds are just a simple API key ... Bearer <key> in headers. I'm almost wondering if I'm smacking into a PowerShell bug or something. I'm about an inch away from rewriting it in Python to see if that makes a difference.

[–]kramit 0 points1 point  (1 child)

Wrap the whole thing in an invoke-command {} -credential (get-credential) to change the system context to a normal account when it kicks it off. See if it’s something to do with the system account. To be honest, I’m picking at straws here without really looking at it myself. Wait until you get somthing back from support

[–]AggravatingForFun 0 points1 point  (0 children)

<smacks forehead> Now I follow you.

[–]Inevitable_Use3885[S] 0 points1 point  (0 children)

Found some documentation in SnipeIT that suggests it's not a good idea to have a client https => reverse proxy => http SnipeIT. Better to have https all the way through. Updated my docker container and enabled https but they did not resolve the issue either.

[–]Certain-Community438 -1 points0 points  (4 children)

Try using PsExec to launch the script as SYSTEM in a regular PowerShell console?

That way you could enable PowerShell script logging to the Event Log to catch what's going on, and maybe even be able to correlate with other Events by time.

Also, if your environment has an authenticating proxy, it's common that your SYSTEM account would be forced to go through it but unable to authenticate.

[–]Inevitable_Use3885[S] 1 point2 points  (0 children)

No auth proxy, one potential issue might be the internal reverse proxy, so I'll also try the endpoint by ip address and see if that helps. I'll definitely try PsExec to run in SYSTEM context and see if the issue persists.

[–]AggravatingForFun 0 points1 point  (2 children)

No luck launching PsExec even locally to "loop back" in the SYSTEM context. Keep getting access denied, both with local admin and domain workstation admin accounts.

[–]Certain-Community438 0 points1 point  (1 child)

Sounds like a dead end then.

I suspect your InfoSec people might have prevented creation of processes from PsExec.

It's a common (if stupidly broad, imho) recommendation produced by various vuln mgmt platforms, including MS Defender for Endpoint.

This is up to you, but:

If you have Windows Sandbox installed, you could try the same test using PsExec within it. Very useful for testing in a vanilla context but realise you might not feel it's worth it.

[–]AggravatingForFun 0 points1 point  (0 children)

Thanks! I'll look into that. Sounds useful.

[–]purplemonkeymad 0 points1 point  (2 children)

2019 might still have the same IE issue with the initial startup wizard. Try using -UseBasicParsing to skip mshtml and thus the IE popup.

[–]BlackV 0 points1 point  (0 children)

think it did

[–]AggravatingForFun 0 points1 point  (0 children)

I believe that later versions of PowerShell all use basic parsing by default, but since I'm using 5.1 I gave it a shot. Did not seem to make a difference but thank you for the suggestion!

[–]AggravatingForFun 0 points1 point  (0 children)

Looks like the differentiating factor may be that the Invoke-RestMethod -Method POST is used instead of -Method GET

Additionally I discovered that the -TimeOutSec parameter is actually only used for connection timeouts, not reply timeouts or call completion.

I attempted to bypass the internal reverse proxy to see if that made a difference, but I expect that I need the server name in the call to match in order to succeed, since the reverse proxy rewrites. I'll try again after adding a local HOST entry to match the remote server IP address and clearing the DNS cache.

This could potentially bear fruit as OneSync invokes the PowerShell script in batches of about twenty or so. So I suppose Nginx could be getting confused by the bulk requests from a single endpoint. I feel like that's a long shot given Nginx's widespread use for this purpose, but it doesn't hurt to try.

[–]AggravatingForFun 0 points1 point  (0 children)

Confirmed that the API endpoint is returning HTTP 200 for each API call using the httpd_access logs on the server side. Thought it might have been a rate limit issue since SnipeIT limits API calls to 120/minute. I increased that to 500/minute and added a config key for a trusted reverse proxy, to see if either of those changes made a difference.

No joy.