cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to configure OS User Authentication with Cyber Ark VBO

UditKhanna
Level 3
Hi,

I downloaded the below DX asset and tried to access Cyber Ark safe from Blue prism and it worked fine as long as user level restriction was not applied at Cyber Ark end.

Once Cyber Ark team enabled user whitelisting, this particular asset stopped working and returned error:
Exception encountered while sending request
The remote server returned an error: (500) Internal Server Error

We were provided with couple of steps that was required to be added in the code stages in order to make OS user authentication work. However, we got the same error again. 

Following were the steps:

  • request.PreAuthenticate = true; 
  • and/or request.Credentials = CredentialCache.DefaultNetworkCredentials;

Has anyone else faced similar issue while setting up OS level user authentication?




------------------------------
Udit Khanna
------------------------------
17 REPLIES 17

PabloSarabia
Level 11
Hi @UditKhanna

I didn't use Cyber Ark before. But usually, when you get an 500 http error, the problem is in the server that you call, not in the client. If you are failing with the authentication you will get an 401 unauthorized error or 403 forbiden error.

Did you check ​if You have any issue in the server or is responding well? Another test that You can make is to call the service with an external tool like SoapUi or Postman.


Hope this helps you.

See You in the Community, bye :)​

------------------------------
Pablo Sarabia
Architect
Altamira Assets Management
Madrid
------------------------------

Hi Udit,

Here are a few questions:
1. Are you making the call via SOAP? or REST?
2. Are you able to call the CyberArk endpoint successfully outside of Blue Prism? (eg. Postman)
3. Can you share an example of the error response you are receiving from CyberArk?

As Pablo mentioned, a 500 error would be a problem within CyberArk. But if the error is in the 400 range, then it is more likely a problem with how the authentication is being formed in the request coming out of Blue Prism. The integration has an output parameter that will contain the Request Data - that may help us troubleshoot if we can see what the request looks like.

------------------------------
Charlie Kovacs
Sr. Digital Exchange Engineer
Blue Prism
Austin, USA
------------------------------
Charlie Kovacs

Thanks for the reply @charliekovacs. Following are the required answers:

1. SOAP
2. Yes
3. The remote server returned an error: (500) Internal Server Error

Value of Request ​Data : 
URL: "CyberArk URL"

Method: POST
Timeout: 10000
Header: Content-Type: text/xml
Header: Host: "Host Name"

XML Body:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="https://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<tem:GetPassword>
<tem:passwordWSRequest>
<tem:AppID>"Added APP ID Here"/tem:AppID>
<tem:Safe>"Added SAFE Here"</tem:Safe>
<tem:Folder>Root</tem:Folder>
<tem:Object>"Added object Query here"</tem:Object>
<tem:Username>"added username here"</tem:Username>
<tem:Address>.*</tem:Address>
<tem:PolicyID>"added policy id here""</tem:PolicyID>
<tem:ConnectionTimeout>30</tem:ConnectionTimeout>
<tem:Query>"Added object Query here"</tem:Query>
<tem:QueryFormat>Regexp</tem:QueryFormat>
<tem:Database>blueprism</tem:Database>

------------------------------
Udit Khanna
------------------------------

Hi @UditKhanna

I'm totally sure that the problem is in the Service that you are calling and not in the Blue Prism part.

Just to go one step back... Can you try to access the service using a common browser? (Not need to send nothing, just to check what happends) If you get an "Internal Application Error", you must to review this part first. (Maybe you miss any IIS configuration, or is an error with the Service configuration)


Bye :)​

------------------------------
Pablo Sarabia
Architect
Altamira Assets Management
Madrid
------------------------------

Hi Pablo ,
This is the end point output. Blue prism is able to connect to cyberark as long as cyberark doesn't apply user level restriction. Once they apply user restriction, the internal server 500 is thrown at BP end.

26558.png


Thanks
Sandeep S

------------------------------
Sandeep Satish
Asia/Kolkata
------------------------------

@UditKhanna, @Sandeep Satish,

So we can assume the Digital Worker is running under a proper Active Directory user account, since you're basically trying to utilize SSO here?

Cheers,
​​

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

Hi , Yes. the VM server (Digital worker) is logged in with an actual AD user.

------------------------------
Sandeep Satish
Asia/Kolkata
------------------------------

@UditKhanna, @Sandeep Satish,

As both Pablo and Charlie have mentioned, the HTTP 500 error is indicative of an issue on the server side. 

The example code Udit provided in the original post is a valid example of how to associate the logged-in user's credentials with the request, although I'm not sure in pre-auth is really required. 

I'd suggest working with your CyberArk administrator, and see if they can review the server-side logs to ascertain the nature of the HTTP 500 response.

Cheers,



------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

Hi @PabloSarabia @Eric Wilson,

We worked with the Cyber Ark and we were able to fetch the server  logs when the request is made.
Following is the log when the user level restrictions are not applied at the Cyber Ark end:
Good fetch logs
"[19/04/2022 | 12:11:37] | :: | APPAU005I Provider Prov_name has successfully fetched password [safe=Safe_Id] with query [Object=Object_Id] for application [App_Id] for IP address [Ip_address]. Fetch reason: []"
 
This call works fine without any error, however when the user level restrictions are applied, it is not able to get the OS User, and the OS User value is empty, below are the logs when we get an error while making the call:
 
Bad fetch logs
"[19/04/2022 | 12:25:40] | :: | APPAU006E Provider Prov_name has failed to fetch password with query [Object=Object_Id] for application [App_Id] for IP address [Ip_Address]. Fetch reason: []. Failure reason: [APPAP306E Authentication error for App ID [App_Id]. Reason: APPAP133E Failed to verify application authentication data: OSUser " "
 
​​


------------------------------
Udit Khanna
------------------------------