KACE API Access - No CSRF Token
Hi,
I am trying to access my KACE instance API for scripting purposes (such as getting a list of all our device/software/...). I'm using this page https://support.quest.com/technical-documents/kace-systems-management-appliance/12.0%20common%20documents/api-reference-guide to help me however here is my situation :
A "POST" with my username/password to http://myKACE/ams/shared/api/security/login returns HTTP 200 with the following headers : X-Kace-Authorization, X-Kace-Appliance, X-Kace-Esmp-Performance. But no "X-Kace-CSRF-Token" ! However the X-Kace-Authorization seems very promising as it contains an authentication method ("Bearer") and token... I guess I might use this for further requests but I have no information as of how I should do it.
Here are examples of responses I get with further calls :
- /api/accounts ==> 401 Unauthorized / The request has not been authenticated. Allowed secure types for the resource are: ''.
- /api/inventory/machines ==> 500 Internal Server Error / No route found for \"GET /inventory/machines\"
Could you help me with this issue ? My KACE server version is 12.1.169, without MFA.
Answers (9)
Top Answer
Hi @SeRil,
I think the latest versions of the SMA utilizes JWT authentication method. Thus, you will see 'x-kace-authorization' in the header containing the bearer token. For authentication, try this:
- POST request to http://mykace/ams/shared/api/security/login with username and password (ensure 'Mobile Device Access' is enabled for designated/service user, Settings > Users )
Retrieve responded header ['x-kace-authorization'] and cookies. Cookies should contain your logged session and kbox info. These are required and to be included for subsequent API calls. - Try GET request to http://mykace/api/users/users/
Good luck as I think this is sufficient for you to start!
Thank you so much for your answer, it was a huge help!
I managed to re-use the cookies, and actually got data with :
- http://mykace/api/users (but not with http://mykace/api/users/users)
- http://mykace/api/machines (but not with http://mykace/api/inventory/machines)
The most problematic part is that "api/machines" is indeed returning a list of machines, but I have no documentation on how to handle those. I tried following the same rules as for the theoretical "/api/inventory/machines" (from https://support.quest.com/de-de/technical-documents/kace-systems-management-appliance/12.0%20common%20documents/api-reference-guide#TOPIC-1681523), but it doesn't work the same : with "/api/machines", I can't use filters, nor append a "/{id}", it just keeps returning the same array.
The API version returned is "16". Is there any reference guide to help me somewhere ?
Comments:
-
OK eventually a colleague of mine rolled v13 of KACE, and here I realized that I need to add a "x-kace-api-version" header to get results. The number in this header can be anything (even tried with ridiculously high numbers, it worked), but you can't enter "latest" (needs to be a number I guess).
So everything is now working fine for me, thanks @Unsullied for your precious help. - SeRil 1 year ago-
Kudos, glad to hear that - Unsullied 1 year ago
I trying to get api with normal /api/users/users BUT got an error 401 Unauthorized .
any suggestion ?
Comments:
-
Hi Clound,
Do move all your query parameters to the headers section for the http request. Depending on your KACE SMA version, kindly refer to the KACE SMA API documentation found in quest support portal for better understanding. - Unsullied 1 year ago
Same problem here but I think it is related to the use of 2FA.
I tried following the indications in the documentation but with no success:
When 2FA (multifactor authentication) is enabled, an additional step is required, to supply the security code after obtaining the KACE_CSRF_TOKEN. Failing to do so causes all future API calls to be invalid with an HTTP status of 401, and the following body:
{
"errorCode": -1,
"errorDescription": "User not fully authenticated."
}
You can supply the 2FA code through a POST request at /ams/shared/api/security/verify_2factor. For example, if the appliance name is KACE_SMA_Test, the route to supply the code is: http://KACE_SMA_Test/ams/shared/api/security/verify_2factor.
The body for the POST request must contain the current code from 2FA. For example:
{
"currentCode" : "codefrom2fa"
}
If the code supplied Google Authenticator is 123456, you can use the following statement:
{
"currentCode" : "123456"
}
The header for this request must contain x-kace-api-version.
When a success is received, the custom API call no longer returns the authentication error:
If the security code is valid, the API call returns the HTTP status 200, with the following body:
{ "Result": "Success" }
Once the security code is accepted, all future API calls should function as expected.
When I try to launch another post request (I'm using Postman just to learn to use Kace APIs) using same Params but only currentCode in body (raw-Json) I obtain an error:
{
"errorCode": -1,
"errorDescription": "Invalid API version header."
}
In all honesty I don't know what I am doing wrong. I have already checked the cookies and the header part but it is inherited from the first Put.
Comments:
-
Stupid error: I was only putting x-kace-api-version in Params but not reporting it in header. Now I was able to pass MFA authentication correctly and get the information from the API.
I hope it will come in useful to others with the same difficulty due to distraction. - GiSo 1 year ago
I'm getting the same {"errorDescription" : "Authorization tokens could not be found"} response. I'm logging in with this:
curl -v -X POST "https://HOSTNAME/ams/shared/api/security/login" -H "Content-Type: application/json" -d "{\"userName\":\"MYUSER\",\"password\":\"MYPASSWORD\"}"
And I get a 200 OK response, the body being JSON describing my user. And in the header response:
x-kace-authorization: Bearer eyABIGLONGTEXTAUTHCODEGOESHERE
So then I'm using that to make a request:
curl -v -X GET "https://HOSTNAME/api/service_desk/queues/" -H "x-kace-api-version:16" -H "Accept: application/json" -H "x-kace-authorization: Bearer eyABIGLONGTEXTAUTHCODEGOESHERE"
I tried "Authorization: Bearer" and "x-kace-auth-key: Bearer" as well, but all just gave me the "Authorization tokens could not be found" 401 Unauthorized response.
And when I try: https://kace.ericksoninc.com/api/service_desk/tickets/ instead, I get:
{"errorCode":-1,"errorDescription":"No Current Organization Selected"}
So I tried passing in , \"organizationName\":\"Default\"} to the initial Login, but still get the same errors for both calls. Am I missing something? Thanks!