From 82556748879035c986f2fee2543cd8d5cee17ac9 Mon Sep 17 00:00:00 2001
From: Ryan Bolger <ryan-oss@xyto.cc>
Date: Fri, 23 Aug 2024 10:36:41 -0700
Subject: [PATCH] Fix Azure IMDS auth for Arc-enabled servers running
 PowerShell 7 (#562)

---
 Posh-ACME/Plugins/Azure.ps1 | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/Posh-ACME/Plugins/Azure.ps1 b/Posh-ACME/Plugins/Azure.ps1
index 3b936594..6c9f2816 100644
--- a/Posh-ACME/Plugins/Azure.ps1
+++ b/Posh-ACME/Plugins/Azure.ps1
@@ -500,7 +500,18 @@ function Connect-AZTenant {
         } catch {
             # Arc-enabled servers will send a 401 response prompting to retry with Basic auth using the contents
             # of a local file specified in the WWW-Authenticate header.
-            if (401 -eq $_.Exception.Response.StatusCode -and ($authHeader = $_.Exception.Response.Headers['WWW-Authenticate'])) {
+            # But the way we access the headers in the response is different between PowerShell 5.1 and 7+ because
+            # the .NET types are significantly different.
+            if ($_.Exception.Response -and 401 -eq $_.Exception.Response.StatusCode) {
+                $exHeaders = $_.Exception.Response.Headers
+                if ('WwwAuthenticate' -in $exHeaders.PSObject.Properties.Name) {
+                    $authHeader = $exHeaders.WwwAuthenticate.Parameter
+                } elseif ('WWW-Authenticate' -in $exHeaders) {
+                    $authHeader = $exHeaders['WWW-Authenticate']
+                } else {
+                    Write-Debug "No WWW-Authenticate header found. Re-throwing exception"
+                    throw
+                }
                 # parse the file name and get the contents
                 Write-Debug "WWW-Authenticate header: $authHeader"
                 $keyFile = $authHeader.Split('=')[1]