Invoke-RestMethod : The remote server returned an error: (401) Unauthorized

Question

I would like to get list of groups from Azure devops Security blade. I prepared a code. I am a member of Contributors group in Azure Devops, I am using cmd-let Invoke-RestMethod. I am testing this piece of code connected to my Azure account from laptop, not tested this on Azure Automation or Azure pipelines. I am still facing an issue --> Error message below: Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.

##My Function
function GetUrl() {
    param(
        [string]$orgUrl, 
        [hashtable]$header, 
        [string]$AreaId
    )

$orgResourceAreasUrl = [string]::Format("{0}/_apis/resourceAreas/{1}?api-preview=5.0-preview.1", $orgUrl, $AreaId)

    # Do a GET on this URL (this returns an object with a "locationUrl" field)
    $results = Invoke-RestMethod -Uri $orgResourceAreasUrl -Headers $header

    # The "locationUrl" field reflects the correct base URL for RM REST API calls
    if ("null" -eq $results) {
        $areaUrl = $orgUrl
    }
    else {
        $areaUrl = $results.locationUrl
    }

    return $areaUrl
}

  $token =[System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($personalToken)"))
$header = @{authorization = "Basic $token"}

  $orgUrlAD = "https://vsaex.dev.azure.com/OrganizationName"
$personalToken = "MyPersonalToken"

  ##Function execution
  Write-Host "AD tests"
  $coreAreaId = "xxx"
  $tfsBaseUrl = GetUrl -orgUrl $orgUrlAD -header $header -AreaId 
$coreAreaId

  $projectsUrl = "$($tfsBaseUrl)_apis/groupentitlements?api-version=5.0-preview.1"

  $projects = Invoke-RestMethod -Uri $projectsUrl -Method Get -ContentType "application/json" -Headers $header

  $projects.value | ForEach-Object {
    Write-Host $_.name
}

Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.

Mengdi Liang · Accepted Answer · 2019-08-19T11:47:29.447

1

(401) Unauthorized.

This means that your token is not be get and used correctly.

The error caused by the order of the script, as the normal logic, it compiled by line order. And also, in your script, your $personalToken is behind of $token. This will result that in the follow script, there is no value in $personalToken, so that $token is unvalid.

  $token =[System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($personalToken)"))

To solve this, just change the order between $personalToken and $personalToken:

$personalToken = "{Your PersonalToken}"
$token =[System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($personalToken)"))
$header = @{authorization = "Basic $token"}

Update: This is the completed script which is successfully on my org, you can try with that. Just replace with your org name in the value of $orgUrlAD is ok.

function GetUrl() {
$orgUrl = $env:SYSTEM_TEAMFOUNDATIONCOLLECTIONURI
$AreaId="efc2f575-36ef-48e9-b672-0c6fb4a48ac5"
$orgResourceAreasUrl = [string]::Format("{0}/_apis/resourceAreas/{1}?api-preview=5.0-preview.1", $orgUrl, $AreaId)

# Do a GET on this URL (this returns an object with a "locationUrl" field)
$results = Invoke-RestMethod -Uri $orgResourceAreasUrl -Headers $header

# The "locationUrl" field reflects the correct base URL for RM REST API calls
    if ("null" -eq $results) {
        $areaUrl = $orgUrl
    }
    else {
        $areaUrl = $results.locationUrl
    }

    return $areaUrl
}
$personalToken = "yvufhmgdgwsy-xxxxxxxx-a2gagb4yfvcct5kdq6q"
$token =[System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($personalToken)"))
$header = @{authorization = "Basic $token"}

$orgUrlAD = "https://vsaex.dev.azure.com/{org name}"

##Function execution
Write-Host "AD tests"
$coreAreaId = "xxx"
$tfsBaseUrl = GetUrl -orgUrl $orgUrlAD -header $header -AreaId 
$coreAreaId

$projectsUrl = $orgUrlAD+"/_apis/groupentitlements?api-version=5.0-preview.1"
Write-Host $projectsUrl
$projects = Invoke-RestMethod -Uri $projectsUrl -Method Get -ContentType "application/json" -Headers $header
Write-Host "Pipeline = $($projects | ConvertTo-Json -Depth 100)"
$projects.value | ForEach-Object {
Write-Host $_.name
}

edited Aug 19 '19 at 11:47

answered Aug 14 '19 at 11:48

Mengdi Liang

17,577
2
28
35

Hi, Thanx for this solution, I corrected my code as per Your suggestion but there is the same issue, now the order is: Function Body, $personalToken, $token, $header, Function execution. – tester81 Aug 14 '19 at 12:08
I tested on my side, here is my result: https://imgur.com/a/ZGLYfkr. It's succeed for me. I also upload my script in the second pic. You can check our difference. – Mengdi Liang Aug 14 '19 at 12:40
I saw Your code, doesnt work in my env, I use my code with Your suggestion and getting incomplete results in the output, and following info "span class="error">Microsoft Internet Explorer's Enhanced Security Configuration is currently enabled on your environment. This enhanced level of security prevents our web integration experiences from displaying or performing correctly. To continue with your operation please disable this configuration or contact your administrator." – tester81 Aug 14 '19 at 15:28
@tester81 If I am not misunderstand, I think this message still relevant with PAT. Do you mind generated one new token and try again? Refer to [this similar issue](https://stackoverflow.com/questions/46114781/vsts-build-running-locally-error-microsoft-internet-explorer-enhanced-secur) – Mengdi Liang Aug 14 '19 at 15:42
@tester81 Hi, how the things going now? Does the error disappeared while you try with the new token generated? – Mengdi Liang Aug 16 '19 at 10:18
Hi, under this variable --> $projectsUrl I have a link, I tested link from my browser and got correct result, mebers of a specific group. I created new PAT, run the script, from my laptop and from Azure Automation account, I got a lot of useless data and mentioned security message. My header --> $header = @{authorization = ("Bearer $token")} – tester81 Aug 19 '19 at 08:45
What about useless date? and security message? Can you show some here? There's no error on this header format. – Mengdi Liang Aug 19 '19 at 08:52
I am receiving something like that below, this only the extract from the result: – tester81 Aug 19 '19 at 09:06
I assume the completed message you received is like this: https://imgur.com/a/ft8aipT , right? If yes, this means the error **203 non-authoritative information**. That's caused by your incorrect token format. – Mengdi Liang Aug 19 '19 at 11:44
I also updated with my completed script in the answer, please just replace your token and org name. And try again. – Mengdi Liang Aug 19 '19 at 11:48
I created new PAT, used it, run script again, using my code, without any changes, and it worked, I ve changed only this part, header --> $header = @{authorization = ("Basic $token")}. its very weird because last week I used new PAT, and there was still problem with this script. Thanks for Your support!! – tester81 Aug 19 '19 at 14:16
Welcome:-) It's my pleasure to help you~~ – Mengdi Liang Aug 19 '19 at 14:25

Invoke-RestMethod : The remote server returned an error: (401) Unauthorized

1 Answers1