29 Replies Latest reply on Nov 16, 2017 3:39 PM by RichardLetts

    403 with rest api call

    r.sjouw

      I;ve seen a few other people with this issue, and some where resolved, but nowhere is a solution to be found.

       

      The code:

       

      $VLANNAAM = "Somevlan"

      $cred = get-credential

      $invoked = Invoke-RestMethod -Uri ("https://"+$Hostname+":17778/SolarWinds/InformationService/v3/Json/Query?query=SELECT GroupId,VLAN_Naam FROM IPAM.GroupNodeAttr WHERE (VLAN_Naam='$VLANNAAM')") -method Get -credential $cred

       

      For the credentials I've used a windows account, local account, database user.

      Nothing works, Always the 403 error.

       

      2015-08-27 07_33_58-Pool 06 - ICT Services Windows 8 Werkplek.png

        • Re: 403 with rest api call
          KMSigma

          This most commonly has to do with the certificate that's used by Orion for HTTPS communications.

           

          The quick and dirty way to handle this is to just trust all web certificates.  Below is a code snippet that I found years ago on PoshCode.com and continue to use it to this day.  It will probably work for you.

          #region Ignore SSL Messages
          ## Choose to ignore any SSL Warning issues caused by Self Signed Certificates  
            
          ## Code From http://poshcode.org/624
          ## Create a compilation environment
          $Provider=New-Object Microsoft.CSharp.CSharpCodeProvider
          $Compiler=$Provider.CreateCompiler()
          $Params=New-Object System.CodeDom.Compiler.CompilerParameters
          $Params.GenerateExecutable=$False
          $Params.GenerateInMemory=$True
          $Params.IncludeDebugInformation=$False
          $Params.ReferencedAssemblies.Add("System.DLL") | Out-Null
          
          $TASource=@'
            namespace Local.ToolkitExtensions.Net.CertificatePolicy{
              public class TrustAll : System.Net.ICertificatePolicy {
                public TrustAll() { 
                }
                public bool CheckValidationResult(System.Net.ServicePoint sp,
                  System.Security.Cryptography.X509Certificates.X509Certificate cert, 
                  System.Net.WebRequest req, int problem) {
                  return true;
                }
              }
            }
          '@ 
          $TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource)
          $TAAssembly=$TAResults.CompiledAssembly
          
          ## We now create an instance of the TrustAll and attach it to the ServicePointManager
          $TrustAll=$TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll")
          [System.Net.ServicePointManager]::CertificatePolicy=$TrustAll
          
          ## end code from http://poshcode.org/624
          #endregion Ignore SSL Messages
          
            • Re: 403 with rest api call
              r.sjouw

              Sorry did not mention I already took that hurdle.

              I found a powershell function that does the same, trust all certificates.

               

              But still the same issue.

              I was getting a ssl tls error, but thats been gone when using this fuction.

              2015-08-27 09_02_14-Pool 06 - ICT Services Windows 8 Werkplek.png

                • Re: 403 with rest api call
                  KMSigma

                  ok - taking a step back.  I'm looking at your query, which (when normalized) is:

                  SELECT GroupId,VLAN_Naam FROM IPAM.GroupNodeAttr WHERE (VLAN_Naam='Somevlan')

                   

                  I'm using the SWQL Studio, and I'm not finding anything in the IPAM.GroupNodeAttr table.  What exactly are you trying to get with this query?

                    • Re: 403 with rest api call
                      r.sjouw

                      Ok I'll start from the beginning.

                       

                      We are rolling out automation center, and need to get the first free address from solarwinds IPAM, to provision a server.

                      As there is no Orchastrator plugin, or any other production ready automation tool for IPAM, we are using the SDK to get this information.

                       

                      I've build a powershell script which gets the information from IPAM, using the module build by another Thwack member.

                      The field VLAN_Naam is a custom field which contains the name of the vlan, which matches to the port profile in VMWare.

                      In getting the VLAN_Naam field, we also get the groupid, from which we can then get the free ip addresses from. using the following query from the module:

                      $qry="SELECT SubnetID, IPOrdinal, IPAddress, IPAddressN, Alias, DnsBackward, Description, Comments, Status FROM IPAM.IPNode WHERE (Status = 2) AND (Comments IS NULL) AND (Alias IS NULL) AND (DNSBackward IS NULL) AND (SubnetID=$GroupID) ORDER BY IPOrdinal ASC"

                       

                      So far so good. This al works in powershell. But we need to get the information in the orchastrator. This is where powershell fails.

                      The script does not run with powershell remoting.( I've been in contact with a product manager from Solarwinds.), not from the orchastrator, where others scripts run fine remotely, and not from another server/workstation using a powershell remote session.

                       

                      So now I'm trying the rest API using orchstrator, fist buidling the script flow in powershell and then building it in orchastrator.

                        • Re: 403 with rest api call
                          KMSigma

                          And VLAN_Naam is bound to the Node?  Also where did you get $GroupID from?

                           

                          P.S. - I'm mocking this up in my own development environment which is why I'm asking so many questions.


                          Update:

                          I just did this in my own lab from a machine that does not have the Orion SDK installed and pointed it to the Primary Polling Engine (though you can point it at an Additional Web Server).

                          function Trust-AllWebCertificates {
                          #region Ignore SSL Messages
                          ## Choose to ignore any SSL Warning issues caused by Self Signed Certificates  
                            
                          ## Code From http://poshcode.org/624
                          ## Create a compilation environment
                          $Provider=New-Object Microsoft.CSharp.CSharpCodeProvider
                          $Compiler=$Provider.CreateCompiler()
                          $Params=New-Object System.CodeDom.Compiler.CompilerParameters
                          $Params.GenerateExecutable=$False
                          $Params.GenerateInMemory=$True
                          $Params.IncludeDebugInformation=$False
                          $Params.ReferencedAssemblies.Add("System.DLL") | Out-Null
                          
                          $TASource=@'
                            namespace Local.ToolkitExtensions.Net.CertificatePolicy{
                              public class TrustAll : System.Net.ICertificatePolicy {
                                public TrustAll() { 
                                }
                                public bool CheckValidationResult(System.Net.ServicePoint sp,
                                  System.Security.Cryptography.X509Certificates.X509Certificate cert, 
                                  System.Net.WebRequest req, int problem) {
                                  return true;
                                }
                              }
                            }
                          '@ 
                          $TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource)
                          $TAAssembly=$TAResults.CompiledAssembly
                          
                          ## We now create an instance of the TrustAll and attach it to the ServicePointManager
                          $TrustAll=$TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll")
                          [System.Net.ServicePointManager]::CertificatePolicy=$TrustAll
                          
                          ## end code from http://poshcode.org/624
                          #endregion Ignore SSL Messages
                          }
                          
                          #region Main Body
                          Trust-AllWebCertificates
                          
                          $SwisUsername = "admin"
                          $SwisPassword = "P@ssw0rd"
                          $SwisCredentails = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $SwisUsername, ( ConvertTo-SecureString $SwisPassword -AsPlainText -Force )
                          $SwisHost = "orion.demo.lab"
                          
                          $SwqlQuery = "SELECT TOP 2 DisplayName, Description, Status, StatusDescription, StatusLED, UnManaged, UnManageFrom, UnManageUntil, DetailsUrl, Image, AncestorDisplayNames, AncestorDetailsUrls FROM System.ManagedEntity"
                          
                          $Uri = "https://$( $SwisHost ):17778/SolarWinds/InformationService/v3/Json/Query?query=$( $SwqlQuery )"
                          
                          $invoked = Invoke-RestMethod -Uri $Uri -Method Get -Credential $SwisCredentails
                          
                          $invoked.Results
                          #endregion Main Body
                          

                          Results:

                          DisplayName                                                        StatusDescription                                                 
                          -----------                                                        -----------------                                                 
                          Microsoft Exchange                                                 Critical                                                          
                          Microsoft Exchange                                                 Critical            
                          

                          The server on which I ran this is Windows 2012 R2 with $PSVersionTable.PSVersion.Major = 4.  I don't have a convenient place to check this with a previous version of PowerShell, but I can't imagine that it would be too much different.

                            • Re: 403 with rest api call
                              r.sjouw

                              Using the query and code you provided I'm getting the same error : 403 :

                               

                              Invoke-RestMethod : The remote server returned an error: (403) Forbidden.

                              At D:\ProvisionVM\scripts\Solarwinds\newtest.ps1:51 char:12

                              + $invoked = Invoke-RestMethod -Uri $Uri -Method Get -Credential $SwisCredentails

                              +            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                                  + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException

                                  + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

                               

                              I'm using the windows admin account, and also using any other windows service account user account or admin account, alle the same error 403.

                              What kind of account are you using, the admin is it a local windows users or something else ?

                    • Re: 403 with rest api call
                      wsoto

                      We are experiencing the exact issue was this ever resolved?  I do not see a resolution for this API connection issue?

                      • Re: 403 with rest api call
                        ekis

                        can you try using IP address instead of the hostname?

                        or, can you try FQDN instead of the hostname?

                        • Re: 403 with rest api call
                          mnchetz

                          I am seeing the exact same issue in my environment. the 403: forbidden error appears to be sporadic and occurs only when I try to connect to Main poller, making rest calls to additional webserver works fine. Have anyone found a resolution for this issue?

                            • Re: 403 with rest api call
                              tdanner

                              Could you provide some more details about what exactly you are seeing? Please include product version, screenshots, type of credentials used, etc.

                                • Re: 403 with rest api call
                                  rjordan

                                  I'm not sure if anyone has provided the requested details, but I'm having the same issue, so here goes:

                                  Orion Platform: 2017.1

                                  NCM: 7.6

                                  NPM: 12.1

                                   

                                   

                                  I initially started testing the API via the query_test.py sample found in orionsdk-python github. After entering my server and credentials, I get the following error: 403 Client Error: Forbidden for url: https://<IPAddress>:17778/SolarWinds/InformationService/v3/Json/Query. I tested using the IP address as well as the DNS name of my Orion server. I also tested authentication using the Orion admin credentials as well as my AD credentials. I get the same 403 error even with a bad password. I get the same error if I try hitting that URL in IE, FF, and Chrome.

                                    • Re: 403 with rest api call
                                      tdanner

                                      The next place to look would be in the SWISv3 log file on the Orion server: C:\ProgramData\SolarWinds\InformationService\v3.0\Orion.InformationService.log. Reproduce the error again and check that log for any details.

                                        • Re: 403 with rest api call
                                          rjordan

                                          Reproducing the 403 error does not log anything to that file. The only notable thing I found in that log file was an error that occurred earlier today when the API was actually working. My custom script had a bad type and it logged an exception running the query. I am stumped as to why the sample query script provided in the Python SDK works for a period of time then throws 403 errors for several hours. Once it starts to throw 403 errors nothing seems to help. I tried restarting SW services and restarting the server to no avail. When I check the next day, the same sample query script works fine.

                                            • Re: 403 with rest api call
                                              tdanner

                                              The next step to investigate this will be to use WCF tracing. This logging method is extremely verbose, so to avoid generating an unmanagable log file it is best to stop all Orion services, start "SolarWinds Information Service V3" only, reproduce the problem (generate the 403 error), and then immediately stop SWISv3.

                                               

                                               

                                              The steps:

                                               

                                               

                                              1. Make a backup copy of "C:\Program Files (x86)\SolarWinds\Orion\Information Service\3.0\SolarWinds.InformationService.Service.exe.config" and then edit it. Add these lines at the end of the file, right before the closing </configuration> line:

                                               

                                                  <system.diagnostics> 

                                                      <sources> 

                                                          <source name="System.ServiceModel"  

                                                                  switchValue="Information, ActivityTracing" 

                                                                  propagateActivity="true"> 

                                                              <listeners> 

                                                                  <add name="xml" /> 

                                                              </listeners> 

                                                          </source> 

                                                          <source name="System.IdentityModel"> 

                                                              <listeners> 

                                                                  <add name="xml" /> 

                                                              </listeners> 

                                                          </source> 

                                                      </sources> 

                                                      <sharedListeners> 

                                                          <add name="xml" 

                                                               type="System.Diagnostics.XmlWriterTraceListener" 

                                                               initializeData="c:\log\SWISv3.svclog" /> 

                                                      </sharedListeners> 

                                                  </system.diagnostics> 

                                               

                                              2. Create the "c:\log" directory.

                                              3. Stop all Orion services.

                                              4. Start only SolarWinds Information Service V3.

                                              5. Reproduce the problem.

                                              6. Stop SolarWinds Information Service V3.

                                              7. Undo the edit to SolarWinds.InformationService.Service.exe.config.

                                              8. Start all Orion services again.

                                              9. Zip up c:\log\SWISv3.svclog and email it to me: tim.danner@solarwinds.com.

                                    • Re: 403 with rest api call
                                      zoomindia111

                                      Hello All,

                                       

                                      I am also started getting the same forbidden 403 issue as described above. Could someone please help us. When I spoke to SW support team they said I can get help here. Need help urgently to fix this issue.

                                       

                                      Thanks

                                      ZM

                                      • Re: 403 with rest api call
                                        RichardLetts

                                        Has this been resolved -- this Just started doing this in our environment (CASE#1360037)

                                         

                                        I'll try it with WCF debugging turned on if you need more output, but in our environment there are a lot of users...

                                        Richard