0

I have found plenty of resource on the first part of my question, specifically though I'm looking for solutions for it being used with task scheduler / service account

I have a PowerShell script which sucks up some logs and forwards them to an endpoint. This is run via a scheduled task. The account that does the forwarding has a valid certificate to be able to send to the end point

I have tested the PowerShell script using my certificate and it works as intended. I have also tested that the service accounts certificate is valid but from being run as myself as opposed to the service account. I am unable to test it from the service account as it does not have any logon rights

I have updated the [net.servicepointmanager]::securityprotocol as stated here.

I believe the error Could not create ssl/tls secure channel is the correct error but I believe the cause is not the common one found by googling this

What else should I test to see what's going on here? PSVersion 5.1, .Net 4.5

As requested here a bunch of the code I am using to gain the certificate of the service account

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$subject = "account"
$certs = Get-ChildItem("certs:\") -recurce | Where-object {($_.Subject -like "*$subject*" -and $_.HasPrivateKey -eq $true)}
$cert = $certs | Sort-object $_."Not Before" | select-object -first 1
$file = gci(D:\Temp)
$contentType = "application/json"

$request = Invoke-Webrequest -uri "mydestination" -Certificate $cert -Method Post -infile $file.Fullname -contentType $contentType
bain2236
  • 111
  • 1
  • 9
  • 1
    It's possible that the endpoint uses an insecure SSL/TLS version that your group policy won't allow from a client perspective. Forcing the latest TLS version as you did is usually the correct action, but it's possible that the service doesn't serve TLS 1.2. I've run into this at work and is a very annoying chicken-and-egg scenario. – codewario Jan 10 '20 at 17:25
  • Can you provide some more information, a [mre] or some code that you are using? i.e. how do you use the certificate? How is the certificate installed? i.e Personal/Trusted Store? what is the full error message? – HAL9256 Jan 10 '20 at 17:40
  • At a minimum, please provide the line you get the error on, as well as state what value you're giving `[net.servicepointmanager]::securityprotocol`. – codewario Jan 10 '20 at 19:48
  • Sounds like you’re using self-signed certificates on the endpoint. Make sure it’s added to the trusted roots either in Local Machine or Current User for the service account. Note that using cut&paste to move certificates between your Current User store and the Local Machine store doesn’t work very well - permissions on the certificate will only allow your account to access it even though it’s in Local Machine, so delete it and re-import directly into the Local Machine store. – mclayton Jan 12 '20 at 11:49
  • 1
    Also, you can enable Network Tracing for HTTP traffic by editing c:\windows\system32\windowspowershell\1.0\powershell.exe.config as per https://learn.microsoft.com/en-us/dotnet/framework/network-programming/how-to-configure-network-tracing which will potentially help work out why the SSL/TLS connection failed - e.g. missing trust chain, invalid protocol, etc. Post some of the network trace log file in your question and it might give some pointers. Don’t forget to disable tracing again afterwards though :-) – mclayton Jan 12 '20 at 11:52
  • @mclayton thanks, although I've not managed to do this I found this post https://stackoverflow.com/questions/56220620/net-tracing-in-powershell-without-creating-config-file and I've managed to find the first error in acquireCredentialHandle 0X8009030D. I'll continue to look, thanks again for pointing me in the correct direction – bain2236 Jan 13 '20 at 11:19

1 Answers1

0

so after following the guidance of @mclayton (i didn't have permissions to change the .exe.config file however)

I found this post which eventually led to an error in acquiring the certificates private key as the service account did not have permission.

The only other final step I required was the -useBasicParsing parameter on the invoke web request

bain2236
  • 111
  • 1
  • 9