Unable to configure OS User Authentication with Cyber Ark VBO
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
13-04-22 03:51 PM
I downloaded the below DX asset and tried to access Cyber Ark safe from Blue prism and it worked fine as long as user level restriction was not applied at Cyber Ark end.
Once Cyber Ark team enabled user whitelisting, this particular asset stopped working and returned error:
Exception encountered while sending request
The remote server returned an error: (500) Internal Server Error
We were provided with couple of steps that was required to be added in the code stages in order to make OS user authentication work. However, we got the same error again.
Following were the steps:
request.PreAuthenticate = true;
- and/or
request.Credentials = CredentialCache.DefaultNetworkCredentials;
Has anyone else faced similar issue while setting up OS level user authentication?
------------------------------
Udit Khanna
------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
13-04-22 04:29 PM
I didn't use Cyber Ark before. But usually, when you get an 500 http error, the problem is in the server that you call, not in the client. If you are failing with the authentication you will get an 401 unauthorized error or 403 forbiden error.
Did you check if You have any issue in the server or is responding well? Another test that You can make is to call the service with an external tool like SoapUi or Postman.
Hope this helps you.
See You in the Community, bye :)
------------------------------
Pablo Sarabia
Architect
Altamira Assets Management
Madrid
------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
13-04-22 08:26 PM
Here are a few questions:
1. Are you making the call via SOAP? or REST?
2. Are you able to call the CyberArk endpoint successfully outside of Blue Prism? (eg. Postman)
3. Can you share an example of the error response you are receiving from CyberArk?
As Pablo mentioned, a 500 error would be a problem within CyberArk. But if the error is in the 400 range, then it is more likely a problem with how the authentication is being formed in the request coming out of Blue Prism. The integration has an output parameter that will contain the Request Data - that may help us troubleshoot if we can see what the request looks like.
------------------------------
Charlie Kovacs
Sr. Digital Exchange Engineer
Blue Prism
Austin, USA
------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
14-04-22 10:20 AM
1. SOAP
2. Yes
3. The remote server returned an error: (500) Internal Server Error
Value of Request Data :
URL: "CyberArk URL"
Method: POST
Timeout: 10000
Header: Content-Type: text/xml
Header: Host: "Host Name"
XML Body:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="https://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<tem:GetPassword>
<tem:passwordWSRequest>
<tem:AppID>"Added APP ID Here"/tem:AppID>
<tem:Safe>"Added SAFE Here"</tem:Safe>
<tem:Folder>Root</tem:Folder>
<tem:Object>"Added object Query here"</tem:Object>
<tem:Username>"added username here"</tem:Username>
<tem:Address>.*</tem:Address>
<tem:PolicyID>"added policy id here""</tem:PolicyID>
<tem:ConnectionTimeout>30</tem:ConnectionTimeout>
<tem:Query>"Added object Query here"</tem:Query>
<tem:QueryFormat>Regexp</tem:QueryFormat>
<tem:Database>blueprism</tem:Database>
------------------------------
Udit Khanna
------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
14-04-22 10:50 AM
I'm totally sure that the problem is in the Service that you are calling and not in the Blue Prism part.
Just to go one step back... Can you try to access the service using a common browser? (Not need to send nothing, just to check what happends) If you get an "Internal Application Error", you must to review this part first. (Maybe you miss any IIS configuration, or is an error with the Service configuration)
Bye :)
------------------------------
Pablo Sarabia
Architect
Altamira Assets Management
Madrid
------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
14-04-22 11:46 AM
This is the end point output. Blue prism is able to connect to cyberark as long as cyberark doesn't apply user level restriction. Once they apply user restriction, the internal server 500 is thrown at BP end.
Thanks
Sandeep S
------------------------------
Sandeep Satish
Asia/Kolkata
------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
14-04-22 03:37 PM
So we can assume the Digital Worker is running under a proper Active Directory user account, since you're basically trying to utilize SSO here?
Cheers,
------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
15-04-22 01:22 PM
------------------------------
Sandeep Satish
Asia/Kolkata
------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
16-04-22 01:29 PM
@UditKhanna, @Sandeep Satish,
As both Pablo and Charlie have mentioned, the HTTP 500 error is indicative of an issue on the server side.
The example code Udit provided in the original post is a valid example of how to associate the logged-in user's credentials with the request, although I'm not sure in pre-auth is really required.
I'd suggest working with your CyberArk administrator, and see if they can review the server-side logs to ascertain the nature of the HTTP 500 response.
Cheers,
------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
20-04-22 06:06 PM
"[19/04/2022 | 12:11:37] | :: | APPAU005I Provider Prov_name has successfully fetched password [safe=Safe_Id] with query [Object=Object_Id] for application [App_Id] for IP address [Ip_address]. Fetch reason: []"
"[19/04/2022 | 12:25:40] | :: | APPAU006E Provider Prov_name has failed to fetch password with query [Object=Object_Id] for application [App_Id] for IP address [Ip_Address]. Fetch reason: []. Failure reason: [APPAP306E Authentication error for App ID [App_Id]. Reason: APPAP133E Failed to verify application authentication data: OSUser " "
------------------------------
Udit Khanna
------------------------------