Jump to content

API Authentication Failed


Homoud
 Share

Recommended Posts

Hi All,

I am struggling for a while to authenticate with API using AutoIT, I am able to do the same on Powershell using the following code with successful authentication:

$headers = @{ Authorization="PS-Auth key=<API KEY>; runas=<API User>; pwd=[<Password>];"; };
$uri = "https://<Domain>/BeyondTrust/api/public/v3/Auth/SignAppin";


$signinResult = Invoke-RestMethod -Uri $uri -Method POST -Headers $headers -SessionVariable script:session;
$signinResult

 

I am trying to use the following AutoIT script

 

#include "WinHttp.au3"


post_authentication_test()

Func post_authentication_test()
    Local $oHttp   = Null, _
          $oComErr = Null

    Local $iHttpStatus = 0

    Local $sResponse = "", _
          $sPostData = ""

    ConsoleWrite(@CRLF & "Executing API" & @CRLF)

    ;Set COM error handler
    $oComErr = ObjEvent("AutoIT.Error", "com_error_handler")

    ;Create a HTTP COM object
    $oHttp = ObjCreate("winhttp.winhttprequest.5.1")
    If @error Then
        ConsoleWrite("Unable to create http request object." & @CRLF)
        Exit -1
    EndIf
    ConsoleWrite("WinHttpRequest object created." & @CRLF)

    With $oHttp


        ;Open POST request
        $hrequest = .Open("POST", "https://<Domain>/BeyondTrust/api/public/v3/Auth/SignAppin", False)

        ;Set request headers and options
        .SetRequestHeader( "Content-Type", "application/json")
        .SetRequestHeader( "authorization", "PS-Auth key=<API Key>; runas=<API User>; pwd=[<Password>];")

        ;Send request
        .Send($hrequest)
        If @error Then
            ConsoleWrite(StringFormat("SEND ERROR: (0x%X) %s", $oComErr.Number, $oComErr.Description) & @CRLF)
            Return
        EndIf

        ;Get status code and response
        $iHttpStatus = .Status
        $sResponse   = .ResponseText

        ;If status code isn't okay
        If $iHttpStatus <> 200 Then
            ConsoleWrite("HTTP Status  : " & String($iHttpStatus) & @CRLF)
            ConsoleWrite("HTTP Response: " & @CRLF & $sResponse & @CRLF)
            Return
        EndIf
    EndWith

    ConsoleWrite("API Response:" & @CRLF & $sResponse & @CRLF)
EndFunc

Func com_error_handler($oError)
    Return
EndFunc

I am getting the following error in the console (Screenshot attached)

SEND ERROR: (0x80020009) A certificate is required to complete client authentication

I have used the same AutoIT script with other API, and it was working the other API it doesn't use any key only basic authentication (User and Password)

I am sure the API doesn't need certificate to authenticate, and I tried to bypass this from the script with no luck?

 

Any idea how to make this works?

Appreciate your help

 

 

 

 

error.PNG

Link to comment
Share on other sites

I know my code when I see it.  ;)  That example was taken from the post below. 

The inclusion of winhhtp.au3 udf is not needed when using the winhttp.winhttprequest com object. 

What's the web server's domain name that you are trying to connect to?  That web server is requiring a certificate as it says.  If it's an in-house web server or one that's under your control and you don't think that it should be requesting a certificate to connect, then it may be misconfigured.  If it's a publicly accessible server, then it could be some other reason like a proxy issue or something else completely unrelated.  You have not provided enough information to know. 

Also, why are you trying to capture the return value ($hrequest) from the open method and use it as the post data in the send method?  That's wrong for multiple reasons.  First, that particular BeyondTrust API (Auth/SignAppin) does not require any post data.  Secondly, if it did, it wouldn't usually be the return from the open method. Lastly, the open method doesn't return any value, just an empty string.

From the BeyondTrust API Guide 7.2:

POST Auth/SignAppin

Purpose
Authenticates the provided credentials and creates a user session.

Required Permissions
A user group to which the user belongs must be granted access to the API key given in authorization header. Must be running script
from a valid source address as configured in API Registration for the given API key.

Request Body
None

Response Body
Content-Type: application/json

By the way, do you just create a new account every time you have a new question?  🤨😉

 

 

Edited by TheXman
Link to comment
Share on other sites

  • 3 weeks later...

@TheXman

 

Firstly, sorry for the late reply I haven't got any notification.

Secondly, I would really would like to express my high appreciation for your comments addressing this post, it is really nice how you are explaining and trying to help, Thank you.

Thirdly, no this is my first account here, and actually this my first time in whole my life posting a technical question, usually I dig till I find the answer, but this time I am stuck in achieving a successful code with something a bit important.

Quote

I know my code when I see it.  ;)  That example was taken from the post below. 

I am not an expert of AutoIT and trying to learn, you example code was very useful to me and it works fine with other API (With Basic Authentication and not using Post in Authentication)

Quote

The inclusion of winhhtp.au3 udf is not needed when using the winhttp.winhttprequest com object. 

 

I came to know this after I dig it, but as I am using different tests, I am just keeping them in the top 😅, I tired using winhttp.au3 and directly winhttp.winhttprequest with no luck so far.

Quote

What's the web server's domain name that you are trying to connect to?  That web server is requiring a certificate as it says.  If it's an in-house web server or one that's under your control and you don't think that it should be requesting a certificate to connect, then it may be misconfigured.  If it's a publicly accessible server, then it could be some other reason like a proxy issue or something else completely unrelated.  You have not provided enough information to know. 

It is internal server, not a published one.  Authentication supports but doesn't require certificate, it is an available option but I haven't enabled it, and I am quite sure about this, because when I connect using Powershell it works without certificate, I have already shared the working code above.

I also tried the below code to skip this error but with no luck

.Option(Result, WINHTTP_OPTION_CLIENT_CERT_CONTEXT, WINHTTP_NO_CLIENT_CERT_CONTEXT, 0);

and something like below

DllCall($hWINHTTPDLL__WINHTTP, "bool", "WinHttpSetOption", "handle", $hRequest, "dword", $WINHTTP_OPTION_CLIENT_CERT_CONTEXT, "ptr", NULL, "dword", 0)

 

Quote

Also, why are you trying to capture the return value ($hrequest) from the open method and use it as the post data in the send method?  That's wrong for multiple reasons.  First, that particular BeyondTrust API (Auth/SignAppin) does not require any post data.  Secondly, if it did, it wouldn't usually be the return from the open method. Lastly, the open method doesn't return any value, just an empty string.

No particular reason, it is just a error and trial approach and leak in knowledge of the codes

 

As per my understanding, this issue happens when the API server supports but not requires client certificate, is there anyway make the code ignore the certificate part?

 

Appreciate your help

 

 

Link to comment
Share on other sites

On 3/13/2021 at 2:57 PM, Homoud said:

Firstly, sorry for the late reply I haven't got any notification.

It's not a "late reply".  It's an attempt to re-engage on a topic that you abandoned.  I replied to your initial post the same day that you posted it, almost 3 weeks ago.  Given that we may not be in the same country or time zone, I can understand a reply that takes a day or two, but 2.5 weeks is ridiculous.  If this topic was as important as you say, notification or not, one would think that you would've checked to see if anyone had replied long before now.  I don't have the patience to try to help people that don't promptly reply.  There are plenty of others that may be able to help you.  Hopefully, for your sake, one of them has more patience than I do and is willing to deal with your "sense of urgency". 

On 3/13/2021 at 2:57 PM, Homoud said:

I would really would like to express my high appreciation for your comments addressing this post, it is really nice how you are explaining and trying to help, Thank you.

You're welcome.

Edited by TheXman
fixed typo
Link to comment
Share on other sites

On 2/24/2021 at 7:35 PM, Homoud said:

AutoIT

!!! Argh..... AutoIt

EDIT:

 

 

Edited by mLipok

Signature beginning:
Please remember: "AutoIt"..... *  Wondering who uses AutoIt and what it can be used for ? * Forum Rules *
ADO.au3 UDF * POP3.au3 UDF * XML.au3 UDF * IE on Windows 11 * How to ask ChatGPT for AutoIt Codefor other useful stuff click the following button:

Spoiler

Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind. 

My contribution (my own projects): * Debenu Quick PDF Library - UDF * Debenu PDF Viewer SDK - UDF * Acrobat Reader - ActiveX Viewer * UDF for PDFCreator v1.x.x * XZip - UDF * AppCompatFlags UDF * CrowdinAPI UDF * _WinMergeCompare2Files() * _JavaExceptionAdd() * _IsBeta() * Writing DPI Awareness App - workaround * _AutoIt_RequiredVersion() * Chilkatsoft.au3 UDF * TeamViewer.au3 UDF * JavaManagement UDF * VIES over SOAP * WinSCP UDF * GHAPI UDF - modest begining - comunication with GitHub REST APIErrorLog.au3 UDF - A logging Library * Include Dependency Tree (Tool for analyzing script relations) * Show_Macro_Values.au3 *

 

My contribution to others projects or UDF based on  others projects: * _sql.au3 UDF  * POP3.au3 UDF *  RTF Printer - UDF * XML.au3 UDF * ADO.au3 UDF SMTP Mailer UDF * Dual Monitor resolution detection * * 2GUI on Dual Monitor System * _SciLexer.au3 UDF * SciTE - Lexer for console pane

Useful links: * Forum Rules * Forum etiquette *  Forum Information and FAQs * How to post code on the forum * AutoIt Online Documentation * AutoIt Online Beta Documentation * SciTE4AutoIt3 getting started * Convert text blocks to AutoIt code * Games made in Autoit * Programming related sites * Polish AutoIt Tutorial * DllCall Code Generator * 

Wiki: Expand your knowledge - AutoIt Wiki * Collection of User Defined Functions * How to use HelpFile * Good coding practices in AutoIt * 

OpenOffice/LibreOffice/XLS Related: WriterDemo.au3 * XLS/MDB from scratch with ADOX

IE Related:  * How to use IE.au3  UDF with  AutoIt v3.3.14.x * Why isn't Autoit able to click a Javascript Dialog? * Clicking javascript button with no ID * IE document >> save as MHT file * IETab Switcher (by LarsJ ) * HTML Entities * _IEquerySelectorAll() (by uncommon) * IE in TaskSchedulerIE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) * PDF Related:How to get reference to PDF object embeded in IE * IE on Windows 11

I encourage you to read: * Global Vars * Best Coding Practices * Please explain code used in Help file for several File functions * OOP-like approach in AutoIt * UDF-Spec Questions *  EXAMPLE: How To Catch ConsoleWrite() output to a file or to CMD *

I also encourage you to check awesome @trancexx code:  * Create COM objects from modules without any demand on user to register anything. * Another COM object registering stuffOnHungApp handlerAvoid "AutoIt Error" message box in unknown errors  * HTML editor

winhttp.au3 related : * https://www.autoitscript.com/forum/topic/206771-winhttpau3-download-problem-youre-speaking-plain-http-to-an-ssl-enabled-server-port/

"Homo sum; humani nil a me alienum puto" - Publius Terentius Afer
"Program are meant to be read by humans and only incidentally for computers and execute" - Donald Knuth, "The Art of Computer Programming"
:naughty:  :ranting:, be  :) and       \\//_.

Anticipating Errors :  "Any program that accepts data from a user must include code to validate that data before sending it to the data store. You cannot rely on the data store, ...., or even your programming language to notify you of problems. You must check every byte entered by your users, making sure that data is the correct type for its field and that required fields are not empty."

Signature last update: 2023-04-24

Link to comment
Share on other sites

@TheXman

 

Not sure what message are you trying to deliver, but I am sure it is irrelevant to the post.

It is not the life end my friend, and I don't believe you have the right judge others or interpret things which you are completely not aware of

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...