question

jansiranikrishnan-1796 avatar image
0 Votes"
jansiranikrishnan-1796 asked AndreasBaumgarten commented

Calling an Orchestrator Runbook rhrough REST web service from an third party application

Hi Team,

I have a set of 4 Runbooks each would be called by a third party application (Service-Now). These Runbooks are created in Orchestrator Server. I had tested these Runbooks by calling them using a PowerShell from SCSM server which is in the same network and it was working perfectly. I have used "Invoke-webrequest" command for calling and used a System account as part of the credentials (used for authentication).

When I try calling these Runbooks from a postman, which is in the same network. it is not working and getting the below error.

124568-image.png
124628-image.png

Infact, this is not a direct communication between SCSM/Orchestrator Server from the client network and Service-Now. We have a mid server (Azure layer) in between these two components for security purpose. Also mid-server is in the same client network. When Azure team tried to post the request to Orchestrator web-service, they are getting the same above error.

I am wondering how it was working with PowerShell.

Any suggestions/inputs for this issue are highly appreciated.

Regards,
Jansi


msc-orchestrator
image.png (2.3 KiB)
image.png (5.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered AndreasBaumgarten converted comment to answer

Hi @jansiranikrishnan-1796 ,

how Postman and the "Azure Layer" are authenticate against the Orchestrator webservice?
The user for authentication needs to have permission to connect and call things on Orchestrator webservice.

If the authentication went wrong or user doesn't have the permission you get the error like above (401 - Unauthorized: Access is denied due to invalid credentials).


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry Andreas for the delay in response.

I think it is not about the application like Postman or Azure layer. I have tried to hit the Runbook (Orch Server) from SCSM using a PowerShell code (Credentials are encrypted). I used the basic Auth for the authentication purpose in Postman. It was not working when hit the Orchestrator web service from Postman and working through PowerShell code. Both are in same network.

Any Inputs on this issue.

Regards,
Jansi

0 Votes 0 ·
AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered AndreasBaumgarten commented

Hi @jansiranikrishnan-1796 ,

does the IIS hosting the Orchestrator accept basic authentication?
https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/basicauthentication

As I wrote before: The error message is pointing to an authentication issue. The Orchestrator webservice declined the request because of "Access denied".


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Andreas,

Using basic authentication in postman and making a web-service call to Orchestrator Runbook, I was getting "Access denied" error as shown above. But using the NTLM authentication, It seems to be working and I was getting normal response as expected. In this case, end result was not attained (I am expecting a ticket to be created in ITSM tool). However, the mid-server, Azure layer does not support NTLM authentication. So, now we are left with only one option, that is to use certificate based authentication. I am not sure how to implement certificate based authentication in Orchestrator Runbook. Any idea or input in this scenario is highly appreciated.

Regards,
Jansi

0 Votes 0 ·

Hi @jansiranikrishnan-1796 ,

did you enable "Basic Authentication" for the Orchestrator Webservice in IIS, as I mentioned before?


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

0 Votes 0 ·

Hi Andreas,

Yes it is enabled. PFB the screenshot.
128657-image.png


0 Votes 0 ·
image.png (43.3 KiB)
Show more comments