API Authentication Failed

Homoud · February 24, 2021

Hi All,

I am struggling for a while to authenticate with API using AutoIT, I am able to do the same on Powershell using the following code with successful authentication:

$headers = @{ Authorization="PS-Auth key=<API KEY>; runas=<API User>; pwd=[<Password>];"; };
$uri = "https://<Domain>/BeyondTrust/api/public/v3/Auth/SignAppin";


$signinResult = Invoke-RestMethod -Uri $uri -Method POST -Headers $headers -SessionVariable script:session;
$signinResult

I am trying to use the following AutoIT script

#include "WinHttp.au3"


post_authentication_test()

Func post_authentication_test()
    Local $oHttp   = Null, _
          $oComErr = Null

    Local $iHttpStatus = 0

    Local $sResponse = "", _
          $sPostData = ""

    ConsoleWrite(@CRLF & "Executing API" & @CRLF)

    ;Set COM error handler
    $oComErr = ObjEvent("AutoIT.Error", "com_error_handler")

    ;Create a HTTP COM object
    $oHttp = ObjCreate("winhttp.winhttprequest.5.1")
    If @error Then
        ConsoleWrite("Unable to create http request object." & @CRLF)
        Exit -1
    EndIf
    ConsoleWrite("WinHttpRequest object created." & @CRLF)

    With $oHttp


        ;Open POST request
        $hrequest = .Open("POST", "https://<Domain>/BeyondTrust/api/public/v3/Auth/SignAppin", False)

        ;Set request headers and options
        .SetRequestHeader( "Content-Type", "application/json")
        .SetRequestHeader( "authorization", "PS-Auth key=<API Key>; runas=<API User>; pwd=[<Password>];")

        ;Send request
        .Send($hrequest)
        If @error Then
            ConsoleWrite(StringFormat("SEND ERROR: (0x%X) %s", $oComErr.Number, $oComErr.Description) & @CRLF)
            Return
        EndIf

        ;Get status code and response
        $iHttpStatus = .Status
        $sResponse   = .ResponseText

        ;If status code isn't okay
        If $iHttpStatus <> 200 Then
            ConsoleWrite("HTTP Status  : " & String($iHttpStatus) & @CRLF)
            ConsoleWrite("HTTP Response: " & @CRLF & $sResponse & @CRLF)
            Return
        EndIf
    EndWith

    ConsoleWrite("API Response:" & @CRLF & $sResponse & @CRLF)
EndFunc

Func com_error_handler($oError)
    Return
EndFunc

I am getting the following error in the console (Screenshot attached)

SEND ERROR: (0x80020009) A certificate is required to complete client authentication

I have used the same AutoIT script with other API, and it was working the other API it doesn't use any key only basic authentication (User and Password)

I am sure the API doesn't need certificate to authenticate, and I tried to bypass this from the script with no luck?

Any idea how to make this works?

Appreciate your help

TheXman · February 24, 2021

I know my code when I see it. That example was taken from the post below.

The inclusion of winhhtp.au3 udf is not needed when using the winhttp.winhttprequest com object.

What's the web server's domain name that you are trying to connect to? That web server is requiring a certificate as it says. If it's an in-house web server or one that's under your control and you don't think that it should be requesting a certificate to connect, then it may be misconfigured. If it's a publicly accessible server, then it could be some other reason like a proxy issue or something else completely unrelated. You have not provided enough information to know.

Also, why are you trying to capture the return value ($hrequest) from the open method and use it as the post data in the send method? That's wrong for multiple reasons. First, that particular BeyondTrust API (Auth/SignAppin) does not require any post data. Secondly, if it did, it wouldn't usually be the return from the open method. Lastly, the open method doesn't return any value, just an empty string.

From the BeyondTrust API Guide 7.2:

POST Auth/SignAppin

Purpose
Authenticates the provided credentials and creates a user session.

Required Permissions
A user group to which the user belongs must be granted access to the API key given in authorization header. Must be running script
from a valid source address as configured in API Registration for the given API key.

Request Body
None

Response Body
Content-Type: application/json

By the way, do you just create a new account every time you have a new question? 🤨😉

Edited February 26, 2021 by TheXman

JockoDundee · February 24, 2021

1 hour ago, TheXman said:

By the way, do you just create a new account every time you have a new question?

“Not only do I know my code when I see it, I know yours when I see it...”

Homoud · March 13, 2021

@TheXman

Firstly, sorry for the late reply I haven't got any notification.

Secondly, I would really would like to express my high appreciation for your comments addressing this post, it is really nice how you are explaining and trying to help, Thank you.

Thirdly, no this is my first account here, and actually this my first time in whole my life posting a technical question, usually I dig till I find the answer, but this time I am stuck in achieving a successful code with something a bit important.

Quote

I know my code when I see it. That example was taken from the post below.

I am not an expert of AutoIT and trying to learn, you example code was very useful to me and it works fine with other API (With Basic Authentication and not using Post in Authentication)

Quote

The inclusion of winhhtp.au3 udf is not needed when using the winhttp.winhttprequest com object.

I came to know this after I dig it, but as I am using different tests, I am just keeping them in the top 😅, I tired using winhttp.au3 and directly winhttp.winhttprequest with no luck so far.

Quote

What's the web server's domain name that you are trying to connect to? That web server is requiring a certificate as it says. If it's an in-house web server or one that's under your control and you don't think that it should be requesting a certificate to connect, then it may be misconfigured. If it's a publicly accessible server, then it could be some other reason like a proxy issue or something else completely unrelated. You have not provided enough information to know.

It is internal server, not a published one. Authentication supports but doesn't require certificate, it is an available option but I haven't enabled it, and I am quite sure about this, because when I connect using Powershell it works without certificate, I have already shared the working code above.

I also tried the below code to skip this error but with no luck

.Option(Result, WINHTTP_OPTION_CLIENT_CERT_CONTEXT, WINHTTP_NO_CLIENT_CERT_CONTEXT, 0);

and something like below

DllCall($hWINHTTPDLL__WINHTTP, "bool", "WinHttpSetOption", "handle", $hRequest, "dword", $WINHTTP_OPTION_CLIENT_CERT_CONTEXT, "ptr", NULL, "dword", 0)

Quote

Also, why are you trying to capture the return value ($hrequest) from the open method and use it as the post data in the send method? That's wrong for multiple reasons. First, that particular BeyondTrust API (Auth/SignAppin) does not require any post data. Secondly, if it did, it wouldn't usually be the return from the open method. Lastly, the open method doesn't return any value, just an empty string.

No particular reason, it is just a error and trial approach and leak in knowledge of the codes

As per my understanding, this issue happens when the API server supports but not requires client certificate, is there anyway make the code ignore the certificate part?

Appreciate your help

TheXman · March 14, 2021

On 3/13/2021 at 2:57 PM, Homoud said:

Firstly, sorry for the late reply I haven't got any notification.

It's not a "late reply". It's an attempt to re-engage on a topic that you abandoned. I replied to your initial post the same day that you posted it, almost 3 weeks ago. Given that we may not be in the same country or time zone, I can understand a reply that takes a day or two, but 2.5 weeks is ridiculous. If this topic was as important as you say, notification or not, one would think that you would've checked to see if anyone had replied long before now. I don't have the patience to try to help people that don't promptly reply. There are plenty of others that may be able to help you. Hopefully, for your sake, one of them has more patience than I do and is willing to deal with your "sense of urgency".

On 3/13/2021 at 2:57 PM, Homoud said:

I would really would like to express my high appreciation for your comments addressing this post, it is really nice how you are explaining and trying to help, Thank you.

You're welcome.

Edited March 15, 2021 by TheXman
fixed typo

mLipok · March 14, 2021

On 2/24/2021 at 7:35 PM, Homoud said:

AutoIT

!!! Argh..... AutoIt

EDIT:

Edited March 16, 2021 by mLipok

Jos · March 14, 2021

Nitpicker

Homoud · March 15, 2021

@TheXman

Not sure what message are you trying to deliver, but I am sure it is irrelevant to the post.

It is not the life end my friend, and I don't believe you have the right judge others or interpret things which you are completely not aware of

Sign In

API Authentication Failed

Recommended Posts

Homoud

Link to comment

Share on other sites

TheXman

Link to comment

Share on other sites

JockoDundee

Link to comment

Share on other sites

Homoud

Link to comment

Share on other sites

TheXman

Link to comment

Share on other sites

mLipok

Link to comment

Share on other sites

Jos

Link to comment

Share on other sites

Homoud

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

AutoIt Resources

Release

Beta