5 Replies Latest reply: Aug 29, 2016 10:51 AM by Xavier Hahn RSS

    Ticket API authentication getting 403 Forbidden

    Xavier Hahn

      Hi,

       

      We're trying to authenticate users through the ticket API and we're getting a 403 Forbidden error. I'm really not sure where exactly might be the issue, if it's caused by Qlik not finding the user or something else.

       

      Where can I find more information on how to fix this issue?

       

      Here's the POST we're sending (redacted the private information).

       

      POST https://***:4243/qps/tst/ticket?Xrfkey=0123456789abcdef
      
      HEADERS:
      X-Qlik-Xrfkey: 0123456789abcdef
      Content-Type: application/json
      
      BODY:
      {
        "UserDirectory": "MyDirectory",
        "UserId": "myUser",
        "CertificateLocation": 2,
        "CertificateName": "***",
        "TargetId": "6ee5fc59-8a92-481a-8108-0a4748a281a8",
        "Attributes": []
      }
      

       

      Here's the response we're getting.

       

      The remote server returned an error: (403) Forbidden.

        • Re: Ticket API authentication getting 403 Forbidden
          Alexander Karlsson

          CertificateLocation and CertificateName in the body is not needed.

           

          Are you signing your request with the exported certificates from Qlik Sense?

          The 403 indicates that your request is not allowed, the user does not have to exist in Sense. Since you sign the request with the export certificates from Qlik Sense we will trust you and create whatever user you send in.

          • Re: Ticket API authentication getting 403 Forbidden
            Xavier Hahn

            Hi Alexander,

             

            Thanks for your help. I indeed was confused by what certificate to use to create the connection. I managed to go past the first error, but now get another error:

            The request was aborted: Could not create SSL/TLS secure channel.

            It's probably still linked to that certificate issue. Here's what I did to create and configure the certificate:

             

            1. I went to the QMC and in the certificate tab
            2. Clicked on the "Add machine name" and added the IP Address of my "client" server (should it be the public or private IP? Is it important? Should I put something else? Both machines are not on the same network / domain)
            3. Added a certificate password, did not include the secret key and exported it to the Windows format
            4. Clicked on export certificates
            5. Took the root and client certificates from the Qlik folder and copied them to my "client" server
            6. Installed both the root and client certificates on the server's "local machine" certificate directory

             

            I'm then using this open source project GitHub - braathen/qlik-auth-net: ASP.NET module for simplifying custom authentication with Qlik Sense. to test. It seem to correctly sign the request using the client certificate, so I'm not really sure why I get the error message.

             

            Could it be a configuration issue on Qlik's side?

             

            Thanks

              • Re: Ticket API authentication getting 403 Forbidden
                Xavier Hahn

                OK, So I figured-out what was going on after 2 days of research. I'll give here how I managed to figure out the issue and fix it.

                 

                So, first thing the error was returned by the call to the HttpWebRequest's GetRequestStream() method. It was therefore not really linked to an issue with Qlik but to a ASP.net issue.

                 

                I've activated the logging for System.Net by adding this configuration to the web.config of my web app.

                 

                <system.diagnostics>
                  <trace autoflush="true" />
                  <sources>
                  <source name="System.Net">
                  <listeners>
                  <add name="System.Net" />
                  </listeners>
                  </source>
                  <source name="System.Net.Sockets">
                  <listeners>
                  <add name="System.Net" />
                  </listeners>
                  </source>
                  <source name="System.Net.Cache">
                  <listeners>
                  <add name="System.Net" />
                  </listeners>
                  </source>
                  </sources>
                  <sharedListeners>
                  <add
                  name="System.Net"
                  type="System.Diagnostics.TextWriterTraceListener"
                  initializeData="System.Net.trace.log"
                  />
                  </sharedListeners>
                  <switches>
                  <add name="System.Net" value="Verbose" />
                  <add name="System.Net.Sockets" value="Verbose" />
                  <add name="System.Net.Cache" value="Verbose" />
                  </switches>
                
                </system.diagnostics>
                
                
                
                

                This allowed me to get the real underlying issue which was : AcquireCredentialsHandle() failed with error 0X8009030D


                After a little bit of Googling, I figured out that the issue was linked to the application pool in which my web app was running didn't have access to the private key of the QlikClient certificate. This is quite easy to fix.


                First, you need to get to the certificate store

                • Open the certificates MMC.
                  • Open MMC
                  • Click File –> Add/Remove Snap-in…
                  • Choose Certificates and click Add
                  • Select Computer Account and click Finish

                 

                Then, right-click the QlikClient certificate in the certificate store and choose "All tasks -> Manage private keys.

                 

                You should have a "Windows" permission showing, you need to add the user that is running your application pool. So if your application pool is called "TestAppPool", you should add the user "IIS AppPool\TestAppPool". You can give this user only "Read" permissions and it should work.