RESTful knowledge exchange
Post Reply
aquilino
Novice
Posts: 6
Liked: 1 time
Joined: Sep 17, 2014 7:40 pm
Full Name: John Aquilino
Contact:

Access denied after successful authenticatoin

Post by aquilino »

Am building a piece of code for a client. Client has a licensed Veeam installation. Using RESTful XML API to attempt to perform queries of the server.

Authentication seems to succeed, but the sample in the 7.0 documentation shows to try to run "/api/backupServers". This returns "Access is denied". On further investigation, it appears to authorize only running "Reports" (/api/reports/summary"). Attempts to retrieve using "/api/reports/summary" does work, but would like to use other API operations.

Is there some privilege level required/expected on the server? (We've been told the domain account we are authenticating with already has admin level access.)

Would like to use the RESTful API to query the status of jobs and tasks.

So issue is 1) we're not a licensed Veeam user as a development shop, 2) work is being done for another client, who _is_ a licensed Veeam user. Suggestions on how to go about resolving this?
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Access denied after successful authenticatoin

Post by veremin »

Hi John, do you add the resulting X-RestSvcSessionId to the headers of subsequent requests? Also, just for the purpose of testing you can use different account (local admin, for instance) and see whether it makes any difference? Thanks.
aquilino
Novice
Posts: 6
Liked: 1 time
Joined: Sep 17, 2014 7:40 pm
Full Name: John Aquilino
Contact:

Re: Access denied after successful authenticatoin

Post by aquilino »

On the first question, yes, seems like we wouldn't have gotten the response that indicates we can execute "/api/reports/summary" if that wasn't done right.

On the other, we'll see what we can do.
aquilino
Novice
Posts: 6
Liked: 1 time
Joined: Sep 17, 2014 7:40 pm
Full Name: John Aquilino
Contact:

Re: Access denied after successful authenticatoin

Post by aquilino »

OK, more data.

When we post to "/api/sessionMngr" the user ID and credentials, we get back following response (raw XML follows):

Code: Select all

<?xml version="1.0" encoding="utf-8"?><LogonSession Type="LogonSession" Href="https://msc-lex-sm000.thinkmsc.net/api/logonSessions/[UUID removed]" xmlns="http://www.veeam.com/ent/v1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><Links><Link Href="https://msc-lex-sm000.thinkmsc.net/api/" Type="EnterpriseManager" Rel="Up"/><Link Href="https://msc-lex-sm000.thinkmsc.net/api/reports/summary" Name="Summary" Type="Report" Rel="Down"/><Link Href="https://msc-lex-sm000.thinkmsc.net/api/logonSessions/[UUID removed]" Type="LogonSession" Rel="Delete"/></Links><UserName>THINKMSC\maryville_vmw.sa</UserName><SessionId>[UUID removed]</SessionId></LogonSession>
Note the "UserName" is provided in the reply, which we understood from the docs indicating that it understood the login credentials and sucessfully logged us on. Is that true, or not true? We do get back a header "X-RestSvcSessionId", which is later used for requests. The statement of "only indicates we can run reports" is assumption on our part that the "Link" element of "Type=Report" is indicating it will accept requests from us for reports. Docs have an example that also shows links for "/api/backupServers", "/api/jobs", etc. We do not see those in our login response.

Assuming we can rework the code to use an alternate account, what will that tell us? If a different account works, is it because of some access setting on the server that is not set for this account? We have not yet found documentation that helps clarify if there are any access control restriction/permission settting required for access to XML API.

Note: Text string "[UUID removed]" represents an GUID provided in the original response which we've removed for security reasons. There were 3 occurrences, and all of the same value.
aquilino
Novice
Posts: 6
Liked: 1 time
Joined: Sep 17, 2014 7:40 pm
Full Name: John Aquilino
Contact:

Re: Access denied after successful authenticatoin

Post by aquilino »

And one more thing, this is all over an SSL session (port 9398), so a Wireshark pcap file won't be particularly useful here.
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Access denied after successful authenticatoin

Post by veremin »

aquilino wrote:Note the "UserName" is provided in the reply, which we understood from the docs indicating that it understood the login credentials and sucessfully logged us on. Is that true, or not true?
In fact, "X-RestSvcSessionId", not username indicates successful logon attempt.

Can you tell me whether a backup server is added to EM, and an user you're trying to use has "portal administrator" role in EM?

Thanks.
aquilino
Novice
Posts: 6
Liked: 1 time
Joined: Sep 17, 2014 7:40 pm
Full Name: John Aquilino
Contact:

Re: Access denied after successful authenticatoin

Post by aquilino »

OK, more info:

We have now tried using a local account (the local "Administrator" account), and we still get the same result as reported in earlier post (tells us only "EnterpriseManager", "Reports" and "LogonSession" url's).

We have also worked to establish a separate environment, and the logon attempt to the alternate environment _Does_ return a response that includes a longer list of url's (including "BackupServersReferenceList", and URL's for Jobs and Tasks).

So we're trying to determine what difference is... We're fairly confident the authentication is completing at this point, but something about the environment is causing it to only offer the limited set of URL's.

We've tried having the account set up as "Portal Administrator" and/or "Portal User". Doesn't seem to affect how it responds. (If we don't list the account with a Veeam role, it fails to authenticate.)
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Access denied after successful authenticatoin

Post by veremin »

Then, I'd recommend contacting our support team and seeing whether they're able to track the difference between two instances. Thanks.
aquilino
Novice
Posts: 6
Liked: 1 time
Joined: Sep 17, 2014 7:40 pm
Full Name: John Aquilino
Contact:

Re: Access denied after successful authenticatoin

Post by aquilino » 1 person likes this post

We have resolved this. The issue is: When you have an Enterprise, but not an Enterprise Plus license, you only get access to Summary Reports via the RESTful XML api. Applying the license key for Enterprise Plus (and restarting the RESTful API service) gave us access to everything as documented.
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Access denied after successful authenticatoin

Post by veremin »

I haven't even thought that the solution was lying on the surface and was related to usage of improper license edition. Anyway, thank you for coming back and updating the topic with the found resolution; much appreciated.
Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests