Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unable to configure OS User Authentication with Cyber Ark VBO

UditKhanna
Level 3

‎13-04-22 03:51 PM

Hi,

I downloaded the below DX asset and tried to access Cyber Ark safe from Blue prism and it worked fine as long as user level restriction was not applied at Cyber Ark end.

Once Cyber Ark team enabled user whitelisting, this particular asset stopped working and returned error:
Exception encountered while sending request
The remote server returned an error: (500) Internal Server Error

We were provided with couple of steps that was required to be added in the code stages in order to make OS user authentication work. However, we got the same error again. 

Following were the steps:

  • request.PreAuthenticate = true; 
  • and/or request.Credentials = CredentialCache.DefaultNetworkCredentials;

Has anyone else faced similar issue while setting up OS level user authentication?




------------------------------
Udit Khanna
------------------------------
0 Likes
17 REPLIES 17

charliekovacs
Staff
Staff
In response to UditKhanna

‎25-04-22 09:11 PM

Udit,

Do you see a difference if you try to manually set the Windows credential in the CyberArk VBO code stage? The line would look something like this, replacing username, password, and domain (optional) with actual credential values for your environment:
request.Credentials = new NetworkCredential("username", "password", "domain");

If that does not work, I would question if the Windows credentials are getting dropped somewhere in IIS on the CyberArk side.

------------------------------
Charlie Kovacs
Sr. Digital Exchange Engineer
Blue Prism
Austin, USA
------------------------------
Charlie Kovacs
0 Likes

UditKhanna
Level 3
In response to charliekovacs

‎10-05-22 12:18 PM

Hi @charliekovacs, there is no difference when we try to manually set the Windows credential in the CyberArk VBO code stage. We tried the above solution and got the same Internal Server Error.

Following were the server logs we received from Cyber Ark when we sent the request :

"[10/05/2022 | 10:40:42] | :: | APPAU006E Provider Prov_name has failed to fetch password with query [Object=Object_Id] for application [App_Id] for IP address [Ip_Address]. Fetch reason: []. Failure reason: [APPAP306E Authentication error for App ID [App_Id]. Reason: APPAP133E Failed to verify application authentication data: OSUser " "

We have an ongoing case with CyberArk to check  if the Windows credentials are getting dropped somewhere in IIS on the CyberArk side. Will get back with updates regarding it as well.

Thank You.




------------------------------
Udit Khanna
------------------------------
0 Likes

manavSingla
Level 3
In response to charliekovacs

‎17-05-22 01:50 PM

Hi @Charlie Kovacs  do you have any findings from below logs as shared by @UditKhanna.Please let us know if any further inputs needed from our end for further analysis.

Thanks,
Manav Singla​​​

------------------------------
manav Singla
------------------------------
0 Likes

charliekovacs
Staff
Staff
In response to manavSingla

‎17-05-22 04:46 PM

Hi Manav,

I think it will be important to determine if the credentials are being received in IIS on the CyberArk side.

This article from CyberArk might be of use:
https://cyberark-customers.force.com/s/article/How-Does-OS-User-Application-authentication-work-with-the-Central-Credential-Provider

------------------------------
Charlie Kovacs
Sr. Digital Exchange Engineer
Blue Prism
Austin, USA
------------------------------
Charlie Kovacs
0 Likes

manavSingla
Level 3
In response to charliekovacs

‎19-05-22 10:28 AM

Hi @Charlie Kovacs,

 Do you have any workaround or procedure so that we can find if the credentials are being received in IIS on the CyberArk side or not.

Thanks,
Manav

------------------------------
manav Singla
------------------------------
0 Likes

manavSingla
Level 3
In response to charliekovacs

‎19-05-22 10:31 AM

Hi @Charlie Kovacs,

Do you have any workaround on how we can check​ if the credentials are being received in IIS on the CyberArk side or not.

Thanks,
Manav

------------------------------
manav Singla
------------------------------
0 Likes

charliekovacs
Staff
Staff
In response to manavSingla

‎19-05-22 04:47 PM

*edit* removing double post
Charlie Kovacs
0 Likes

charliekovacs
Staff
Staff
In response to manavSingla

‎19-05-22 04:59 PM

Manav,

I presume CyberArk will have the best advice for capturing that sort of information. I did find this article from CyberArk about gathering logs:
https://cyberark-customers.force.com/s/article/Enable-Debugging-and-Gather-Logs-Central-Credential-Provider

Aside from that, a tool like Fiddler can capture real time requests. IIS should produce some logging for each hosted site, and Event Viewer often captures some information as well.

The CyberArk article I shared in my previous reply indicates some requirements in IIS around Windows Authentication. It would be important to verify if that is configured properly. It claims request.UseDefaultCredentials is the only property needed to authenticate a request coming out of a .NET environment, so Blue Prism should be capable of sending a well-formed request. Whether that request is being handled in IIS appropriately with regard to Windows Authentication configuration could be the area to investigate.
https://cyberark-customers.force.com/s/article/How-Does-OS-User-Application-authentication-work-with-the-Central-Credential-Provider

------------------------------
Charlie Kovacs
Sr. Digital Exchange Engineer
Blue Prism
Austin, USA
------------------------------
Charlie Kovacs
0 Likes