Dear Support,
we are facing issues using RES API "http request was forbidden with client authentication scheme 'Basic'" could an one help here.
Regards
Chethan Kumar G
Let's start by gathering some info about your setup.
Same issue here.
Example with PowerShell
$URI = 'https://primaryserver:17778/SolarWinds/InformationService/v3/Json/Query?query='
$Query = 'SELECT Top 10 Caption FROM Orion.Nodes'
Invoke-RestMethod -Uri "$URI$Query" -Method Get -Credential $Cred -Verbose
VERBOSE: GET https://primaryserver:17778/SolarWinds/InformationService/v3/Json/Query?query=SELECT Top 10 Caption FROM Orion.Nodes with 0-byte payload
Invoke-RestMethod : The remote server returned an error: (403) Forbidden.
Example with SWQL Studio using Orion (v3) over HTTPS
Is this issue specific to using AD accounts? In other words, do you have the same problem when using an Orion account?
Check the SWIS log for errors at the time of these requests (C:\ProgramData\SolarWinds\InformationService\v3.0\Orion.InformationService.log). Also check the "Application" windows event log on the Orion server.
Yes, Orion accounts works fine. Orion.InformationService.log doesn't have anything besides service start information, windows event log as well. I have a trace file I can share privately.
Ok. Send the trace to first.last@company.com and I'll take a look.
Was that a typo in the email address.. first.last@company.com... I sent you a private message via thwack with uploaded log file location.
My address is not literally "first.last@company.com". But anyway I received the trace via the thwack message. Here's the error you are hitting:
Exception details: System.DirectoryServices.Protocols.DirectoryOperationException: The server cannot handle directory requests.
at System.DirectoryServices.Protocols.ErrorChecking.CheckAndSetLdapError(Int32 error)
at System.DirectoryServices.Protocols.LdapSessionOptions.FastConcurrentBind()
at System.DirectoryServices.AccountManagement.CredentialValidator.BindLdap(NetworkCredential creds, ContextOptions contextOptions)
at System.DirectoryServices.AccountManagement.CredentialValidator.Validate(String userName, String password)
at System.DirectoryServices.AccountManagement.PrincipalContext.ValidateCredentials(String userName, String password)
at SolarWinds.Data.Providers.Orion.OrionAccountValidator.CheckWindowsAccountPassword(String username, String password)
at SolarWinds.Data.Providers.Orion.OrionAccountValidator.Validate(String username, String password, Boolean skipPasswordCheck)
at System.IdentityModel.Selectors.CustomUserNameSecurityTokenAuthenticator.ValidateUserNamePasswordCore(String userName, String password)
at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)
at System.ServiceModel.Channels.HttpChannelListener.ProcessRequiredAuthentication(HttpListenerContext listenerContext)
at System.ServiceModel.Channels.HttpsChannelListener`1.ProcessAuthentication(HttpListenerContext listenerContext)
at System.ServiceModel.Channels.HttpRequestContext.ProcessAuthentication()
at System.ServiceModel.Channels.HttpChannelListener`1.HttpContextReceivedAsyncResult`1.Authenticate()
at System.ServiceModel.Channels.HttpChannelListener`1.HttpContextReceivedAsyncResult`1.ProcessHttpContextAsync()
I have seen this pattern at a couple of customers before. We can probably work around it, but I have yet to identify a root cause.
This is an error from the .NET Framework’s PrincipalContext.ValidateCredentials method. You can use PowerShell on the Orion server to test this API with no SolarWinds code involved:
Add-Type -AssemblyName System.DirectoryServices.AccountManagement$pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext @("Domain", "your-domain-name")$pc$pc.ValidateCredentials("your-username", "your-password")
The expected outcome is that the “$pc” command will print something like this:
ContextType : DomainName : your-domain-nameContainer :UserName :Options : Negotiate, Signing, SealingConnectedServer : your-domain-controller.your-domain-name
And the “$pc.ValidateCredentials” command will print “True” if you entered your password correctly and “False” otherwise.
If this throws the “The server cannot handle directory requests” exception, then we can proceed with troubleshooting from there. If it does not throw the exception, then the problem might be related to the user context that SWIS runs under. By default, this is “Local System”. To test this, open PowerShell as Local System and run those commands again.
the .Net method returned true run under my user account.
ContextType : Domain
Name : FQDN...
Container :
UserName :
Options : Negotiate, Signing, Sealing
ConnectedServer : domain controller...
True
I ran those same commands as local system, I got the below error.
Exception calling "ValidateCredentials" with "2" argument(s): "The server cannot handle directory requests."
At line:1 char:1
tdanner what are my next steps to get this resolved?
I recommend you open a case with Microsoft. You can show them a very short powershell script that works as a regular user but fails as local system.
