topic Re: Ticket API authentication getting 403 Forbidden in Integration, Extension & APIs

Ticket API authentication getting 403 Forbidden

Mon, 22 Aug 2016 15:18:16 GMT

Hi,

We're trying to authenticate users through the ticket API and we're getting a 403 Forbidden error. I'm really not sure where exactly might be the issue, if it's caused by Qlik not finding the user or something else.

Where can I find more information on how to fix this issue?

Here's the POST we're sending (redacted the private information).

POST https://***:4243/qps/tst/ticket?Xrfkey=0123456789abcdef

HEADERS:

X-Qlik-Xrfkey: 0123456789abcdef

Content-Type: application/json

BODY:

{

"UserDirectory": "MyDirectory",

"UserId": "myUser",

"CertificateLocation": 2,

"CertificateName": "***",

"TargetId": "6ee5fc59-8a92-481a-8108-0a4748a281a8",

"Attributes": []

}

Here's the response we're getting.

The remote server returned an error: (403) Forbidden.

Re: Ticket API authentication getting 403 Forbidden

Alexander_Thor — Tue, 23 Aug 2016 19:09:37 GMT

CertificateLocation and CertificateName in the body is not needed.

Are you signing your request with the exported certificates from Qlik Sense?

The 403 indicates that your request is not allowed, the user does not have to exist in Sense. Since you sign the request with the export certificates from Qlik Sense we will trust you and create whatever user you send in.

Re: Ticket API authentication getting 403 Forbidden

Wed, 24 Aug 2016 15:20:35 GMT

Hi Alexander,

Thanks for your help. I indeed was confused by what certificate to use to create the connection. I managed to go past the first error, but now get another error:

The request was aborted: Could not create SSL/TLS secure channel.

It's probably still linked to that certificate issue. Here's what I did to create and configure the certificate:

I went to the QMC and in the certificate tab
Clicked on the "Add machine name" and added the IP Address of my "client" server (should it be the public or private IP? Is it important? Should I put something else? Both machines are not on the same network / domain)
Added a certificate password, did not include the secret key and exported it to the Windows format
Clicked on export certificates
Took the root and client certificates from the Qlik folder and copied them to my "client" server
Installed both the root and client certificates on the server's "local machine" certificate directory

I'm then using this open source project GitHub - braathen/qlik-auth-net: ASP.NET module for simplifying custom authentication with Qlik Sense. to test. It seem to correctly sign the request using the client certificate, so I'm not really sure why I get the error message.

Could it be a configuration issue on Qlik's side?

Thanks

Re: Ticket API authentication getting 403 Forbidden

Wed, 24 Aug 2016 15:22:15 GMT

Sorry, I didn't answer to you directly, could you check my message other message in the thread?

Re: Ticket API authentication getting 403 Forbidden

Mon, 29 Aug 2016 14:51:04 GMT

OK, So I figured-out what was going on after 2 days of research. I'll give here how I managed to figure out the issue and fix it.

So, first thing the error was returned by the call to the HttpWebRequest's GetRequestStream() method. It was therefore not really linked to an issue with Qlik but to a ASP.net issue.

I've activated the logging for System.Net by adding this configuration to the web.config of my web app.

<system.diagnostics>
  <trace autoflush="true" />
  <sources>
  <source name="System.Net">
  <listeners>
  <add name="System.Net" />
  </listeners>
  </source>
  <source name="System.Net.Sockets">
  <listeners>
  <add name="System.Net" />
  </listeners>
  </source>
  <source name="System.Net.Cache">
  <listeners>
  <add name="System.Net" />
  </listeners>
  </source>
  </sources>
  <sharedListeners>
  <add
  name="System.Net"
  type="System.Diagnostics.TextWriterTraceListener"
  initializeData="System.Net.trace.log"
  />
  </sharedListeners>
  <switches>
  <add name="System.Net" value="Verbose" />
  <add name="System.Net.Sockets" value="Verbose" />
  <add name="System.Net.Cache" value="Verbose" />
  </switches>

</system.diagnostics>

This allowed me to get the real underlying issue which was : AcquireCredentialsHandle() failed with error 0X8009030D

After a little bit of Googling, I figured out that the issue was linked to the application pool in which my web app was running didn't have access to the private key of the QlikClient certificate. This is quite easy to fix.

First, you need to get to the certificate store

Open the certificates MMC.
- Open MMC
- Click File –> Add/Remove Snap-in…
- Choose Certificates and click Add
- Select Computer Account and click Finish

Then, right-click the QlikClient certificate in the certificate store and choose "All tasks -> Manage private keys.

You should have a "Windows" permission showing, you need to add the user that is running your application pool. So if your application pool is called "TestAppPool", you should add the user "IIS AppPool\TestAppPool". You can give this user only "Read" permissions and it should work.