Get information via Poweshell and Icinga Director API

I try to get information via Icinga director API with Powershell.
Does anyone have any idea how I can solve the problem(s)?

Here my Code:
[string]$DirectorUrl = “

$directorUser = “user”
$directorPass = “password”

#Convert Credentials to Base64 for URL Header
$bytes = [System.Text.Encoding]::UTF8.GetBytes((’{0}:{1}’ -f $directorUser , $directorPass))
$authorization = ‘Basic {0}’ -f ([Convert]::ToBase64String($bytes))

#Create a new Header
$headers = New-Object “System.Collections.Generic.Dictionary[[String],[String]]”

#Add converted Authorization
$headers.Add(“Authorization”, “$authorization”)
#Add Application type

Invoke-RestMethod -Method GET -Headers $headers -Uri “$DirectorURL/host?”

If I use a non admin powershell I get the following result:
Invoke-RestMethod : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

If I use a powershell with admin privileges I get the following result:
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.

I have tested the credentials with “RESTED” a Firefox extension.

I’m not really familiar with PowerShell so I can’t give you a special hint for this.
But maybe the source code of the “Icinga 2 Powershell Module” helps you to find some ideas for this.

add this somewhere before the connection and try again:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

This only allows TLS12 for your script. Microsoft not configured tls1.2 to be enabled by default

Btw. for some reason I needed the “Convert credential” thing on one of my installations. It normally works with Invoke-Restmethod -Credential switch too and without the conversion.

Invoke-RestMethod -Method Get -Headers $headers -Uri “$BaseURL/host`?name=myhostname” -Credential $Credential

1 Like

I changed my script and the SSL/TLS Error is not present but i get the Message “Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.”

#Enable TLS 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
[string]$DirectorUrl = “”

$directorUser = “user”
$directorPass = “password”

#Create Credentials Object
$password = ConvertTo-SecureString $directorPass -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($directorUser, $password)

#Create a new Header
$headers = New-Object “System.Collections.Generic.Dictionary[[String],[String]]”

#Add Application type

Invoke-RestMethod -Method GET -Headers $headers -Uri “$DirectorURL/host?” -Credential $Credential

#Output Credential

would say that this is correct. Do you used an icingaweb2 user or an api user?

Edit: my fault, havn’t seen that you tested the credentials :slight_smile:
Have you tried the same with your first script?
Very special chars in the password?

I used the user I had created in /etc/icinga2/conf.d/api-users.conf

object ApiUser “user” {
password = “password”
permissions = [ “*” ]

I have tried the first script with the additional line.
I try it at our staging envoriment, and have a password with no special chars.

thats an icinga2 api user, you need to use an icingaweb2 user with director/api access


Thanks for your help, that’s what it was.

I created a user under IcingaWeb2 → configuration → authentication → user → "Create new user

After that I created a new role under IcingaWeb2 → configuration → authentication → Rollen→ “Create new role” and in the module “director” I added the rights “General Module Access” and “director/*”. I added the user “user” to the role.

This gave me a correctly configured user for working with the Icinga Director API.

Then I wrote a script that creates the BasicAuthToken so that I can use it in the API script and the username and password are not visible in the API script.

#Step 0. Set User and Password
$username = “user”
$password = “pass”

#Step 1. Create a username:password pair
$credPair = “$($username):$($password)”

#Step 2. Encode the pair to Base64 string
$encodedCredentials = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($credPair))

#Step 3. Write.Output BasicAuth String
Write-Output $encodedCredentials

Now that I have a working user I have built a simple script for testing, it looks like this:

#Enable TLS 1.2 - Is disabled by default
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$headers = New-Object “System.Collections.Generic.Dictionary[[String],[String]]”

$headers.Add(“Accept”, “application/json”)

$headers.Add(“Authorization”, “Basic PasteBasicAuthStringhere”)

$response = Invoke-RestMethod ‘’ -Method ‘GET’ -Headers $headers

$response | ConvertTo-Json