Powershell: [Bug] Invoke-RestMethod: The token supplied to the function is invalid - PowerShell 7.1.0-preview.5

Created on 10 Jul 2020 · 10Comments · Source: PowerShell/PowerShell

[x] Make sure you are able to repro it on the latest released version
[x] Search the existing issues.
[x] Refer to the FAQ.
[x] Refer to the known issues.

Steps to reproduce

Running the following command:

Invoke-RestMethod -Method Get -Uri "https://application/api/endpoint" -UseDefaultCredentials -ContentType 'application/json' -ErrorAction Stop

This consistently works on PowerShell 7.0.2 however on both PowerShell 7.1.0-preview.2 and PowerShell 7.1.0-preview.5 it consistently fails with the following error:

Invoke-RestMethod: The token supplied to the function is invalid

This feels like it could be related to how Invoke-RestMethod is handling Kerberos identities when -UseDefaultCredentials is specified and given that it is possibly a bug in .Net 5.0?

Expected behavior

The REST API endpoint returns a PSCustomObject.

Actual behavior

Invoke-RestMethod: The token supplied to the function is invalid

Environment data

Name                           Value
----                           -----
PSVersion                      7.1.0-preview.5
PSEdition                      Core
GitCommitId                    7.1.0-preview.5
OS                             Microsoft Windows 10.0.18362
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Get-Error -Newest 1

Exception             :
    Type            : System.ComponentModel.Win32Exception
    NativeErrorCode : -2146893048
    ErrorCode       : -2147467259
    TargetSite      :
        Name          : GetOutgoingBlob
        DeclaringType : System.Net.NTAuthentication, System.Net.Http, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
        MemberType    : Method
        Module        : System.Net.Http.dll
    StackTrace      :
   at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatusPal& statusCode)
   at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob)
   at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync(HttpRequestMessage request, Uri authUri, ICredentials credentials, Boolean isProxyAuth,
HttpConnection connection, HttpConnectionPool connectionPool, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, ICredentials credentials, Boolean preAuthenticate,
Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts,
CancellationToken callerToken, Int64 timeoutTime)
   at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(HttpClient client, HttpRequestMessage request, Boolean keepAuthorization)
   at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
    Message         : The token supplied to the function is invalid
    Source          : System.Net.Http
    HResult         : -2147467259
CategoryInfo          : NotSpecified: (:) [Invoke-RestMethod], Win32Exception
FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
InvocationInfo        :
    MyCommand        : Invoke-RestMethod
    ScriptLineNumber : 1
    OffsetInLine     : 1
    HistoryId        : 6
    Line             : Invoke-RestMethod -Method Get -Uri "https://application/api/endpoint" -UseDefaultCredentials -ContentType 'application/json'
-ErrorAction Stop
    PositionMessage  : At line:1 char:1
                       + Invoke-RestMethod -Method Get -Uri "https://application/api/endpoint …
                       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    InvocationName   : Invoke-RestMethod
    CommandOrigin    : Internal
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 1

Issue-Question OS-Windows Resolution-External Resolution-Fixed Waiting - DotNetCore

Source

ephos

🚀1

All 10 comments

PowerShell uses HttpClient API. You could create a simple repo on C# and report the issue in .Net 5.0 Runtime repo.

iSazonov on 13 Jul 2020

Both #12993 and this issue look like regression in Invoke-RestMethod cmdlet. @iSazonov I think we need to keep the issue open to drive the investigation.

daxian-dbw on 13 Jul 2020

👍1

I think this might be the same problem...

Import-Module "Z:\CODE\DevOpsCode\Modules\Send-OwaMail\Microsoft.Exchange.WebServices.dll"
$Credential = Get-Credential username

$_ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP2
$_service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($_ExchangeVersion)
$_service.Url = new-object Uri("https://mail.server.domain/EWS/Exchange.asmx")

$_service.Credentials = $Credential.GetNetworkCredential()

$_SentItems = New-Object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::SentItems,$From)
$_SentItems = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($_service,$_SentItems)

PSVersion 5.1.19041.1: We can bind without problems
PSVersion 7.1.0-preview.6: MethodInvocationException: Exception calling "Bind" with "2" argument(s): "The token supplied to the function is invalid"

pcasalinho on 25 Aug 2020

Web cmdlets use -SslProtocol Default by default that is "use OS default". You could try to use explicit value Tls, Tls11, Tls12.
Also you could turn on CAPI log on Windows and see messages there to investigate why TLS negotiation fail.
I guess the client asks a server with a disabled protocol.

iSazonov on 25 Aug 2020

Web cmdlets use -SslProtocol Default by default that is "use OS default". You could try to use explicit value Tls, Tls11, Tls12.
Also you could turn on CAPI log on Windows and see messages there to investigate why TLS negotiation fail.
I guess the client asks a server with a disabled protocol.

Is that diferent if using WindowsPowershell vs PowerShell ("core") 7.x.x ?
Maybe PowerShell ("core") 7.x.x uses Openssl instead of Windows Certs?

pcasalinho on 25 Aug 2020

Looks like this specific issue may have been fixed with https://github.com/dotnet/runtime/pull/40222

SteveL-MSFT on 25 Aug 2020

Is that diferent if using WindowsPowershell vs PowerShell ("core") 7.x.x ?
Maybe PowerShell ("core") 7.x.x uses Openssl instead of Windows Certs?

PowerShell 7 is based on .Net 5 and new HttpClient vs Windows PowerShell - .Net Framework and old WebClient.
.Net 5 utilizes OS API on low level. OpenSSL is used on Unix only.

iSazonov on 26 Aug 2020

Unfortunately that fix didn't make it into .NET 5 preview 8 (as it repro'd for me). Will need to validate with .NET 5 RC1.

SteveL-MSFT on 28 Aug 2020

@SteveL-MSFT @iSazonov - I tested today against PowerShell 7.1.0-rc.1 and can confirm that it targeting dotnet 5.0-RC.1 fixes the bug.

ephos on 30 Sep 2020

👍1

This issue has been marked as external and has not had any activity for 1 day. It has been be closed for housekeeping purposes.