SWIS / SWQL Studio / API - Windows Group Authentication Issue

Hi All,

One of our SolarWinds NPM 2020.2 instances is experiencing authentication issues with SWIS and SWQL Studio connections.

SWIS and SWQL Studio connections to SolarWinds do not appear to allow authentication of active directory accounts configured for SolarWinds access via "Windows Groups".  SWQL Studio simply reports the following...

Capture.PNG

The Orion log on the primary poller reports the following when such an attempt is made:

WARN  SolarWinds.Data.Providers.Orion.OrionAccountValidator - (null) (null)  Invalid username or password for user 'DOMAIN\username' via password hash comparison.

Logins to the SolarWinds web front end/GUI authenticate via "Windows Groups" without any issues.

Connecting via SWIS/SWQL Studio using an individual account which is configured within SolarWinds (local Orion or active directory account) also works without any issues.

To rule out an issue with a specific windows group, a new group was created and configured for access within SolarWinds however the issue with SWIS/SWQL Studio connections also occurs with this new group.

We have other similar SolarWinds instances which allow "Windows Group" authentication via SWIS/SWQL Studio without any issues, so we know this authentication method should be possible.

Has anyone had similar issues?

Thanks.

  • Hi All,

    Still experiencing this issue I'm afraid. Can anyone offer any assistance?

    Thanks.

  •  I've seen this before if the user is authenticated via a Windows Group and has never logged into the web console. After logging in to the web console the user can then authenticate to the SDK/API. I suspect it's because prior to log in the user has no entry in the DB, even though its a "Group" authentication SolarWinds still records an entry for the user that logs in and where they received their permissions from. Once they log in then there is an entry that the SDK/API can check against.

  • Hi Christopher,

    Thanks for the reply.

    If I’ve never logged into SolarWinds web front end with the account, and I attempt to login to SWQL Studio, the "C:\ProgramData\SolarWinds\InformationService\v3.0\Orion.InformationService.log" reports the following:

    WARN  SolarWinds.Data.Providers.Orion.OrionAccountValidator - (null) (null)  Invalid username for user DOMAIN\username'.


    If I have previously logged into SolarWinds web front end with the account, and I attempt to login to SWQL Studio, the log reports:

    WARN  SolarWinds.Data.Providers.Orion.OrionAccountValidator - (null) (null)  Invalid username or password for user DOMAIN\username' via password hash comparison.


    If I then make the account an "individual account" Active Directory account in SolarWinds, I can successfully login to SWQL Studio and the Orion.InformationService.log reports the following:

    INFO SolarWinds.Orion.Web.OrionMixedModeAuth - (null) (null) Successfully retrieved WindowsIdentity for user DOMAIN\username

  • , I've spoken to one of the developers who has worked on Orion's authentication code.  He believes there is a problem with retrieving the SID for the user account.  His advice was to open a ticket with SolarWinds so we can fix the issue.  We will likely need debug logs (see Adjust logging levels with the SolarWinds Log Adjuster) from SWIS (C:\ProgramData\SolarWinds\InformationService\v3.0 on your Orion server, assuming a default installation).  The API is not officially supported, so send me a private message if you have difficulty getting the ticket opened.

  • Hi Dan, apologies for the delayed response. Thanks for your reply.

    I logged this forum post following advice from SolarWinds support.

    SolarWinds support performed some basic troubleshooting however ultimately explained the scope of their support with the API/SWQL Studio and advised the best way forward would be to submit this post.

    Anything you can do to help with further investigations would be much appreciated as I'm still experiencing this issue. I'll privately message you a note of the closed case reference.

    Thanks.

  • Just wondering if anyone has come to a conclusion with this issue. I've run into it recently as well. I had just started using the REST API a few weeks ago and it worked. Then I tried again last week and started getting the "invalid username or password" message. The message in the Orion.InformationService.log file is "Invalid username or password for user <domain\username> via password hash comparison. I've tried various combinations of my usersname and different computers. Using -trusted works just fine, but the script will be run from a server while logged in as a service account (different from the account that has access to Solarwinds). Using a local Solarwinds account also works, but I don't want to do that because multiple people will be using the script. Any suggestions?

  • Afraid to say there has been no resolution with this, I still need to perform the workaround which avoids being able to use windows security groups for access. I also upgraded to the latest 2020.2.1 in the hope that it may help fix but problem is still present.

    SolarWinds support simply point you to these forums as they "don't support the api".

  • Thanks NightEdition.  Yeah, I tried opening a ticket with support, but they saw "API" and sent me a blanket email pointing me to the forums.

    I did what you did and added my domain account as a user and was able to access the api, but obviously not ideal.  Especially when others on my team have no problems.

    Anyway, thanks for your response.

  • I'm having the same exact issue, all log events are the same as in NightEdition's post, for the different scenarios.

    I'm seeing this with just a regular webrequest to the :17778 API, which I believe has nothing to do with the SDK/SWQL-Studio. Or am i wrong?
    I haven't even installed the SDK, I'm using only the integrated REST API on port 17778, and I'm still having these issues.

    Why excatly wont Solarwinds give support on something that is part of the product? Or is this considered not "officially" supported anyway, even if it ships with the software?

    It really sucks how we have to manage API-access manually with setting up specific permissions pr. single user.

  • I believe SDK/SWQL-Studio uses the REST API on port 17778 too.

    SolarWinds stance on the API, including SWQL-Studio, is that it isn't a supported product!

    https://support.solarwinds.com/SuccessCenter/s/article/Support-for-Orion-SDK-and-other-API-related-tools?language=en_US


    SolarWinds Orion Core was built with an API (Application Program Interface) embedded to allow customers to be able to utilize their own tools or resources to gather specific monitoring information from the application. SolarWinds also has built their own tool for customers to use called the Orion SDK. This application includes documentation on SWIS and SWQL as well as SWQL Studio and SwisSnapin tools.

    When it comes to customer questions, concerns or issues using the Orion SDK or with the API in general, it's natural to seek out the technical support of SolarWinds for assistance. However, the Orion SDK and API use is not a component of the SolarWinds licensing model and as such, does not fall under the coverage of Technical Support. Technical Support is devoted to currently licensed applications and modules in good standing.

    This does not mean though that SolarWinds is unwilling to help or assist, it simply means that the support and assistance for this are conducted somewhere else outside of technical support. For such questions or issues that you may encounter, you can find assistance within our Thwack site dedicated to the Orion SDK\API located here: 

    https://thwack.solarwinds.com/t5/Orion-SDK/ct-p/orion-sdk

    Within the Orion SDK Lab portion of Thwack, you can post questions and issues that you have with the API or read through the many articles already in place that may pertain to your issue. The Thwack community is composed of other peer users that may have the answer you are looking for, but the SolarWinds development team is also present to assist as well as provide any announcements on changes to the SDK or API.