Token Authentication

[Scott Palmer]

I can't get Token Authentication to work.

I tried my own token and the System user's token, both successfully retrieved via:

  http://targetprocess/TargetProcess/api/v1/Authentication

using my browser when I was logged in.

Then I use curl to attempt a GET of the following URL, with the correct token filled in.  E.g.:

http://targetprocess/TargetProcess/api/v1/Assignables/21345?include=%5BName%5D&format=json&token=XXXXXXXXX

It fails with a 401 error.

Using my browser I can easily browse to that URL though.  In fact it is even successful if I include a bogus token, like literally the XXXXXXX above.  Presumably because the credential are cached.

If I use a different browser that doesn't have my credentials cached and a valid token, I am still prompted to enter my credentials.

Is there some special setup required on the server to get token authentication to work?  It seems as if the request isn't even getting to TP before the server has decided that I must authenticate.  Is token authentication incompatible with certain server settings?  We are using NTLM authentication.  Here are the server response headers:

X-UA-Compatible:IE=edge

WWW-Authenticate:Negotiate

NTLMServer:Microsoft-IIS/7.5

Date:Thu, 24 Jan 2013 05:30:22 GMT

Content-Type:text/html

Content-Length:1293

Regards,

Scott

[Vyacheslav Volov]

Hello Scott, 

as fr as I understand your REST client doesn't sends any NTLM auth, while REST API obviously have Windows authentication only enabled because it's inherited from the root level.  As a workaround I would recommend you to navigate to api/v1 folder in IIS and enable basic authentication for this folder. Here's the screenshot - http://screencast.com/t/mcAzRHCHmR

 It is possible even disable Windows authentication for that folder too, but this may lead to some problems with using TargetProcess from browsers depending on your environment.  Please try to experiment with these settings. 

 

Best regards, 

Slava

[Scott Palmer]

Well I finally got the Basic Authenticate enabled on api/v1  but it still doesn't work.  I also tried disabling NTLM authentication on that path and still nothing.

It always fails, despite using the authentication token of either my own login or the system user.

$ curl "http://targetprocess/TargetProcess/api/v1/Assignables/29659?token=MY_TOKEN_HERE"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>

<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>

<style type="text/css">

<!--

body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}

fieldset{padding:0 15px 10px 15px;} 

h1{font-size:2.4em;margin:0;color:#FFF;}

h2{font-size:1.7em;margin:0;color:#CC0000;} 

h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} 

#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;

background-color:#555555;}

#content{margin:0 0 0 2%;position:relative;}

.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}

-->

</style>

</head>

<body>

<div id="header"><h1>Server Error</h1></div>

<div id="content">

 <div class="content-container"><fieldset>

  <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>

  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>

 </fieldset></div>

</div>

</body>

</html>

I don't understand what is wrong.  But as far as I can tell Token Authentication simply doesn't work.  The othe rauthentication mechanisms appear to fail the request before TP can ever see the token.

Any help is apprecitated.

Scott

[Scott Palmer]

Finally figured it out after much experimenting...  You must enabled Anonymous access to the api/v1 folder. (You can leave the NTLM authentication enabled as well).

That way TP fails anything without a token, but works when the token is supplied.

Scott