/build/static/layout/Breadcrumb_cap_w.png

KACE API Access - No CSRF Token

Hi,

I am trying to access my KACE instance API for scripting purposes (such as getting a list of all our device/software/...). I'm using this page https://support.quest.com/technical-documents/kace-systems-management-appliance/12.0%20common%20documents/api-reference-guide to help me however here is my situation :

A "POST" with my username/password to http://myKACE/ams/shared/api/security/login returns HTTP 200 with the following headers : X-Kace-Authorization, X-Kace-Appliance, X-Kace-Esmp-Performance. But no "X-Kace-CSRF-Token" ! However the X-Kace-Authorization seems very promising as it contains an authentication method ("Bearer") and token... I guess I might use this for further requests but I have no information as of how I should do it.

Here are examples of responses I get with further calls :

- /api/accounts ==> 401 Unauthorized / The request has not been authenticated. Allowed secure types for the resource are: ''.

- /api/inventory/machines ==> 500 Internal Server Error / No route found for \"GET /inventory/machines\"

Could you help me with this issue ? My KACE server version is 12.1.169, without MFA.


0 Comments   [ + ] Show comments

Answers (9)

Answer Summary:
Posted by: Unsullied 1 year ago
Yellow Belt
1

Top Answer

Hi @SeRil,


I think the latest versions of the SMA utilizes JWT authentication method. Thus, you will see 'x-kace-authorization' in the header containing the bearer token. For authentication, try this:

  1. POST request to http://mykace/ams/shared/api/security/login with username and password (ensure 'Mobile Device Access' is enabled for designated/service user, Settings > Users )
    Retrieve responded header ['x-kace-authorization'] and cookies. Cookies should contain your logged session and kbox info. These are required and to be included for subsequent API calls.

  2. Try GET request to http://mykace/api/users/users/ 

    Good luck as I think this is sufficient for you to start! 
Posted by: KevinG 1 year ago
Red Belt
0

What programing language are you using to make the API calls?

Or are you using Postman?

Posted by: SeRil 1 year ago
White Belt
0

Hi ! I am using Powershell, but also a "manual" REST client called Boomerang (Chrome Extension), similar to Postman.

Posted by: SeRil 1 year ago
White Belt
0

Thank you so much for your answer, it was a huge help!

I managed to re-use the cookies, and actually got data with :

http://mykace/api/users (but not with http://mykace/api/users/users)

http://mykace/api/machines (but not with http://mykace/api/inventory/machines)

The most problematic part is that "api/machines" is indeed returning a list of machines, but I have no documentation on how to handle those. I tried following the same rules as for the theoretical "/api/inventory/machines" (from https://support.quest.com/de-de/technical-documents/kace-systems-management-appliance/12.0%20common%20documents/api-reference-guide#TOPIC-1681523), but it doesn't work the same : with "/api/machines", I can't use filters, nor append a "/{id}", it just keeps returning the same array.

The API version returned is "16". Is there any reference guide to help me somewhere ? 


Comments:
  • OK eventually a colleague of mine rolled v13 of KACE, and here I realized that I need to add a "x-kace-api-version" header to get results. The number in this header can be anything (even tried with ridiculously high numbers, it worked), but you can't enter "latest" (needs to be a number I guess).

    So everything is now working fine for me, thanks @Unsullied for your precious help. - SeRil 1 year ago
    • Kudos, glad to hear that - Unsullied 1 year ago
Posted by: clound 1 year ago
Yellow Belt
0

I trying to get api with normal /api/users/users BUT got an error 401 Unauthorized .
any suggestion ? 
wHQqK2UYhQjEQAAAABJRU5ErkJggg==



Comments:
  • Hi Clound,

    Do move all your query parameters to the headers section for the http request. Depending on your KACE SMA version, kindly refer to the KACE SMA API documentation found in quest support portal for better understanding. - Unsullied 1 year ago
Posted by: clound 1 year ago
Yellow Belt
0

with error 

errorDescription" : "Authorization tokens could not be found"

Posted by: clound 1 year ago
Yellow Belt
0

KACE SMA version 13.1 

TrOg5PtehTMAAAAASUVORK5CYII=

Posted by: GiSo 1 year ago
Yellow Belt
0

Same problem here but I think it is related to the use of 2FA.
I tried following the indications in the documentation but with no success:

When 2FA (multifactor authentication) is enabled, an additional step is required, to supply the security code after obtaining the KACE_CSRF_TOKEN. Failing to do so causes all future API calls to be invalid with an HTTP status of 401, and the following body:
{
    "errorCode": -1,
    "errorDescription": "User not fully authenticated."
}

You can supply the 2FA code through a POST request at /ams/shared/api/security/verify_2factor. For example, if the appliance name is KACE_SMA_Test, the route to supply the code is: http://KACE_SMA_Test/ams/shared/api/security/verify_2factor.

The body for the POST request must contain the current code from 2FA. For example:
{
    "currentCode" : "codefrom2fa"
}

If the code supplied Google Authenticator is 123456, you can use the following statement:
{
    "currentCode" : "123456"
}

The header for this request must contain x-kace-api-version.

When a success is received, the custom API call no longer returns the authentication error:

If the security code is valid, the API call returns the HTTP status 200, with the following body:
{    "Result": "Success" }

Once the security code is accepted, all future API calls should function as expected.

When I try to launch another post request (I'm using Postman just to learn to use Kace APIs) using same Params but only currentCode in body (raw-Json) I obtain an error:

{
    "errorCode": -1,
    "errorDescription": "Invalid API version header."
}

In all honesty I don't know what I am doing wrong. I have already checked the cookies and the header part but it is inherited from the first Put.


Comments:
  • Stupid error: I was only putting x-kace-api-version in Params but not reporting it in header. Now I was able to pass MFA authentication correctly and get the information from the API.
    I hope it will come in useful to others with the same difficulty due to distraction. - GiSo 1 year ago
Posted by: adubry 8 months ago
White Belt
0

I'm getting the same {"errorDescription" : "Authorization tokens could not be found"} response. I'm logging in with this:

curl -v -X POST "https://HOSTNAME/ams/shared/api/security/login" -H "Content-Type: application/json" -d "{\"userName\":\"MYUSER\",\"password\":\"MYPASSWORD\"}"

And I get a 200 OK response, the body being JSON describing my user. And in the header response:

x-kace-authorization: Bearer eyABIGLONGTEXTAUTHCODEGOESHERE

So then I'm using that to make a request:

curl -v -X GET "https://HOSTNAME/api/service_desk/queues/" -H "x-kace-api-version:16" -H "Accept: application/json" -H "x-kace-authorization: Bearer eyABIGLONGTEXTAUTHCODEGOESHERE"

I tried "Authorization: Bearer" and "x-kace-auth-key: Bearer" as well, but all just gave me the "Authorization tokens could not be found" 401 Unauthorized response.

And when I try: https://kace.ericksoninc.com/api/service_desk/tickets/ instead, I get:

{"errorCode":-1,"errorDescription":"No Current Organization Selected"}
So I tried passing in , \"organizationName\":\"Default\"} to the initial Login, but still get the same errors for both calls.  Am I missing something? Thanks!

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ