Using Webservices with IWA via Perl


You can enable webservices at Admin > Configuration on the General tab. Checking the Enable Webservices check box makes the ASP.NET SOAP and REST webservices built into Secret Server available for use. Additional steps are needed in IIS to ensure proper access.

Integrated Windows Authentication (IWA) does not work on Secret Server Cloud.
This procedure only works if Secret Server on-premises is installed on IIS 7 or greater.


To enable IWA for webservices in IIS:

  1. Open IIS Manager (inetmgr).

  2. Expand the Sites node until you locate your Secret Server application or website

  3. Expand the Secret Server node to locate the winauthwebservices folder.

  4. Click on the winauthwebservices folder.

  5. Click on authentication in the Security section.

  6. Disable Anonymous Authentication.

  7. Enable Windows Authentication.

    If you are using IIS7 or greater and do not see this option, the option will need to be added through the server roles (webserver). IIS may give an alert about using both challenge and redirect-based authentication, which you can ignore.)
  8. Open Windows Explorer.

  9. Navigate to the winauthwebservices folder.

  10. Give read access to the winauthwebservices folder to the domain users and groups that will be using IWA to access the webservices.



The SOAP web service URL for IWA is <Secret Server URL>/winauthwebservices/sswinauthwebservice.asmx.

The method below uses the SecretServerGetSecret.ps1 PowerShell script to make the SecretGet WebService call, exposing it through the Perl package. The file uses the package to retrieve specific fields from the result.

The flow is as follows:

  1. Your Perl script ( makes a request to the package.

  2. The SecretServer.pmpackage passes the request on to the SecretServerGetSecret.ps1 PowerShell script.

  3. The SecretServerGetSecret.ps1 PowerShell script calls the Secret Server web services and authenticates using the service account that is running under.

  4. The results are passed back to and then on to your Perl script (

  5. Create the following three files:


# Sample Powershell Script
# demonstrating retrieval of a Secret from Secret Server
# via web service protected by Windows Authentication
# returned as Xml

$where = $args[0]
$secretId = $args[1]
$ws = New-WebServiceProxy -uri $where -UseDefaultCredential
$wsResult = $ws.GetSecret($secretId)
$res = convertto-xml $wsResult.Secret -As string -Depth 20

package SecretServer;
use strict;

sub usage {
    print "\nUsage: GetSecret [webservice url] [secretid]\n";

sub new {
    my($class, %args) = @_;
    my $self = bless({}, $class);

sub get_secret {

    my($self, $url, $secretid) = @_;
    my $result = powershell.exe .\\SecretServerGetSecret.ps1 $url $secretid;

sub get_field_from_result {

    my($self, $result, $field) = @_;
    $result =~/<Property Name="Value" Type="System.String">([^<>]+)<\/Property>(?:\s*<Property Name="(?!FieldName)[^"]+"[^>]+>[^<]+<\/Property>\s*)*<Property Name="FieldName"[^<>]+>$field<\/Property>/gsi;


# this is if you want to execute the Get Secret call manually from the command line
# if (@ARGV != 2)
# {
  # usage();  # Call subroutine usage()
  # exit();   # When usage() has completed execution,
            # # exit the program.
# }

# my $url = $ARGV[0];
# my $secretid = $ARGV[1];
# my $result = powershell.exe .\\SecretServerGetSecret.ps1 $url $secretid;

# print $result;

use lib 'C:/<Path to the file>';
use SecretServer;

my $x = SecretServer->new();

# Change this value to match your URL
my $url = '<Secret Server Url>/winauthwebservices/sswinauthwebservice.asmx';

# Change this value to match your desired Secret Id
my $secretid = 17;

my $result = $x->get_secret($url, $secretid);
my $username = $x->get_field_from_result($result, 'UserName');
my $password = $x->get_field_from_result($result, 'Password');
print "$username : $password";