Access denied after successful authenticatoin

[aquilino]

Am building a piece of code for a client. Client has a licensed Veeam installation. Using RESTful XML API to attempt to perform queries of the server.

Authentication seems to succeed, but the sample in the 7.0 documentation shows to try to run "/api/backupServers". This returns "Access is denied". On further investigation, it appears to authorize only running "Reports" (/api/reports/summary"). Attempts to retrieve using "/api/reports/summary" does work, but would like to use other API operations.

Is there some privilege level required/expected on the server? (We've been told the domain account we are authenticating with already has admin level access.)

Would like to use the RESTful API to query the status of jobs and tasks.

So issue is 1) we're not a licensed Veeam user as a development shop, 2) work is being done for another client, who _is_ a licensed Veeam user. Suggestions on how to go about resolving this?

[veremin]

Hi John, do you add the resulting X-RestSvcSessionId to the headers of subsequent requests? Also, just for the purpose of testing you can use different account (local admin, for instance) and see whether it makes any difference? Thanks.

[aquilino]

On the first question, yes, seems like we wouldn't have gotten the response that indicates we can execute "/api/reports/summary" if that wasn't done right.

On the other, we'll see what we can do.

[aquilino]

OK, more data.

When we post to "/api/sessionMngr" the user ID and credentials, we get back following response (raw XML follows):

Code: Select all

<?xml version="1.0" encoding="utf-8"?><LogonSession Type="LogonSession" Href="https://msc-lex-sm000.thinkmsc.net/api/logonSessions/[UUID removed]" xmlns="http://www.veeam.com/ent/v1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><Links><Link Href="https://msc-lex-sm000.thinkmsc.net/api/" Type="EnterpriseManager" Rel="Up"/><Link Href="https://msc-lex-sm000.thinkmsc.net/api/reports/summary" Name="Summary" Type="Report" Rel="Down"/><Link Href="https://msc-lex-sm000.thinkmsc.net/api/logonSessions/[UUID removed]" Type="LogonSession" Rel="Delete"/></Links><UserName>THINKMSC\maryville_vmw.sa</UserName><SessionId>[UUID removed]</SessionId></LogonSession>

Note the "UserName" is provided in the reply, which we understood from the docs indicating that it understood the login credentials and sucessfully logged us on. Is that true, or not true? We do get back a header "X-RestSvcSessionId", which is later used for requests. The statement of "only indicates we can run reports" is assumption on our part that the "Link" element of "Type=Report" is indicating it will accept requests from us for reports. Docs have an example that also shows links for "/api/backupServers", "/api/jobs", etc. We do not see those in our login response.

Assuming we can rework the code to use an alternate account, what will that tell us? If a different account works, is it because of some access setting on the server that is not set for this account? We have not yet found documentation that helps clarify if there are any access control restriction/permission settting required for access to XML API.

Note: Text string "[UUID removed]" represents an GUID provided in the original response which we've removed for security reasons. There were 3 occurrences, and all of the same value.

[aquilino]

And one more thing, this is all over an SSL session (port 9398), so a Wireshark pcap file won't be particularly useful here.

[veremin]

Note the "UserName" is provided in the reply, which we understood from the docs indicating that it understood the login credentials and sucessfully logged us on. Is that true, or not true?

In fact, "X-RestSvcSessionId", not username indicates successful logon attempt.

Can you tell me whether a backup server is added to EM, and an user you're trying to use has "portal administrator" role in EM?

Thanks.

[aquilino]

OK, more info:

We have now tried using a local account (the local "Administrator" account), and we still get the same result as reported in earlier post (tells us only "EnterpriseManager", "Reports" and "LogonSession" url's).

We have also worked to establish a separate environment, and the logon attempt to the alternate environment _Does_ return a response that includes a longer list of url's (including "BackupServersReferenceList", and URL's for Jobs and Tasks).

So we're trying to determine what difference is... We're fairly confident the authentication is completing at this point, but something about the environment is causing it to only offer the limited set of URL's.

We've tried having the account set up as "Portal Administrator" and/or "Portal User". Doesn't seem to affect how it responds. (If we don't list the account with a Veeam role, it fails to authenticate.)

[veremin]

Then, I'd recommend contacting our support team and seeing whether they're able to track the difference between two instances. Thanks.

[aquilino]

We have resolved this. The issue is: When you have an Enterprise, but not an Enterprise Plus license, you only get access to Summary Reports via the RESTful XML api. Applying the license key for Enterprise Plus (and restarting the RESTful API service) gave us access to everything as documented.

[veremin]

I haven't even thought that the solution was lying on the surface and was related to usage of improper license edition. Anyway, thank you for coming back and updating the topic with the found resolution; much appreciated.