Powershell Remoting via C# Throwing Error when using BasicAuthToOAuthConversion parameter with Exchange Online about powershell HOT 12 CLOSED

so why does it work with some connections, but not the one to Exchange Online?

Exchange online uses OAuth tokens but as the WSMan stack on Windows never supported OAuth natively it actually it just OAuth smuggled through basic authentication. So to the WSMan stack it see ok the application is requesting basic auth is my client configuration set to allow this. Exchange on prem uses Kerberos auth and normal Windows hosts can utilise NTLM and Kerberos through the Negotiate protocol which is separate from Basic auth. Basic auth has always been something you need to opt into and the Exchange Online modules even state you need to enable this. Granted they are moving away from this frankenstein setup into their own REST APIs but this applies to your WSManConnectionInfo setup. This could even be the cause behind the problem but I'm not sure on that point.

why does the error message state that the server refused it?

It could be that's just the generic error message it gets back from a failed auth, the client doesn't necessarily know what the server offers just that it failed to auth.

Ultimately I could be wrong here but I know this is in a spot where the OAuth through WinRM with Exchange Online is deprecated and the whole stack behind it all was quite messy. It's a reason why they moved to their own REST APIs with the v3 module.

from powershell.

Has Basic auth been enabled on the client WinRM settings?

Get-Item WSMan:\Localhost\Client\Auth\Basic

from powershell.

@jborean93 would this be on the destination server, or the server running the .net app?

from powershell.

The client host that is running the WinRM code. PowerShell on Windows uses the native WinRM stack. The native stack only allows Basic auth (what the OAuth tokens are smuggled through) if the client allows you to do so and it’s not enabled by default.

from powershell.

@jborean93 well, this is something that was working at one point, and now is not working. The code typically runs from an Azure App Service, so I don't believe there is a way for me to run the Get-Item command. I can say that other operations that use basic auth to connect to our physical exchange environment work without issue. So I can only assume it is enabled.

from powershell.

The error is from the WSMan stack and PowerShell is just bubbling it back up to you. PowerShell has no control over this policy as it’s a system setting and while it provides you the ability to get and set it through the WSMan provider it cannot just enable it for one connection. The error you are getting is what I would expect if basic auth is disabled on the client settings and you requested it.

from powershell.

@jborean93 so why does it work with some connections, but not the one to Exchange Online? and why does the error message state that the server refused it?

The complete exception includes this: "The authentication mechanism requested by the client is not supported by the server or unencrypted traffic is disabled in the service configuration."

from powershell.

@jborean93 My on prem connection is using Basic, here is the code for it:

PSCredential cred = new(_username, _securePassword);
WSManConnectionInfo connectionInfo = new(_powerShellURI, "http://schemas.microsoft.com/powershell/Microsoft.Exchange", cred)
{
    AuthenticationMechanism = AuthenticationMechanism.Basic
};

using Runspace runspace = RunspaceFactory.CreateRunspace(connectionInfo);
runspace.Open();

PowerShell ps0 = PowerShell.Create();

Also, my understanding is the System.Management.Automation and Microsoft.PowerShell.Native packages don't rely on any underlying system level configuration, they are self-contained libraries that allow .net apps to be shipped without any additional dependencies. At least this is the way it has been for the last 6 years when I initially built the first version of this application. As for migrating to rest APIs. I'd happily drop the PowerShell requirement and move to the Graph API, however the item I need to query for isn't exposed in the Graph API, and from what I can tell there are no plans to expose it.

I've been doing Basic auth from an Azure App Service using multiple versions of .net from Framework 4.7 to .net8 without having to do any WinRM changes on the server, or my local machine. None of the docs for the System.Management.Automation package state any system dependencies or configuration changes that need to be made.

from powershell.

Also, my understanding is the System.Management.Automation and Microsoft.PowerShell.Native packages don't rely on any underlying system level configuration, they are self-contained libraries that allow .net apps to be shipped without any additional dependencies

For WSMan that is not the case, even for SSH that's also not the case as it relies on the ssh binary being present. On Windows it relies on the WsmSvc.dll that Windows provides and non-Windows it's the libmi library that PowerShell used to ship with and was pretty old and hard to get working (and yet another reason the Exchange Online module has gone to their own REST API).

from powershell.

This issue has been marked as answered and has not had any activity for 1 day. It has been closed for housekeeping purposes.

from powershell.

📣 Hey @nickjmcclure, how did we do? We would love to hear your feedback with the link below! 🗣️

🔗 https://aka.ms/PSRepoFeedback

Microsoft Forms

from powershell.

@daxian-dbw I noticed this was marked as answered, but it hasn't been answered. The information provided by @jborean93 doesn't apply here.

from powershell.