Status: Open This question has been answered.
Status: Answered This question has been answered.
Status: Closed This question has been answered.
Status: Duplicate This question has been answered.

Random REST 401 Errors

0
Posted Mar 18 by Brandon Lucas.

Hi -

I am working on a custom application to post documents from our scanning client to OpenText using the REST API. We have previously used only POSTMAN to do this and have had great success. With our app, we are finding that we receive what seem like totally random 401 errors. Our calls do work on occasion, with no changes. For example, if we post a document from our scanning client, it might work the first time, or it might fail with a 401 error, and then if we re-try the post a few times, it will work successfully.

I have no idea how to troubleshoot this. What information can I provide that would be of help? I have captured CS logs when this occurs. Would it be better to open a ticket?

24 Answers

0
BEST ANSWER: As chosen by the author.

Hi Brandon,

Are you using content server 10 or 10.5?

Is your auth against otds if yes what patch ?

Thanks

Simon


0
BEST ANSWER: As chosen by the author.

Honestly, we are behind on OTDS a bit. We're on OTDS 10.5.0 - version 10.5.0.581.

CS 10.5 - 2014-09


0
BEST ANSWER: As chosen by the author.

How do you authenticate? Are you exchanging the OTDSTicket for OTCSTicket?

Every CS REST API call returns a fresh ticket in the OTCSTicket response header. If your application is running longer, it should save the new ticket and use it to authorize the next call(s) by putting it into the OTCSTicket request header. This is to prevent OTDSTicket/OTCSTicket expiration problem, or to allow working with the only once usable OTDS tickets.


0
BEST ANSWER: As chosen by the author.

We use network credentials to authenticate and gather an OTCSTicket. And then we request one token and we use that token to do all of the work in separate REST calls (posting the document, applying the category, and posting the metadata/populating the category). We have tried requesting a new token before each step, but that doesn’t help either. The OTCSTicket header is applied to each call. WHEN it works, it takes a matter of 3-5 seconds to do it all of it, so latency isn’t a problem.


0
BEST ANSWER: As chosen by the author.

Do you have a loadbalancer before the farm of the CS front-ends? If the CS authentication cookie is bound to the client IP, the load balancer must ensure, that one client goes on communicating with the initially responding server. The cookie settings in the CS administration is shared with the OTCSTicket settings.


0
BEST ANSWER: As chosen by the author.

No load balancer in play here. We're hitting the same web server on every call. Would a fiddler trace provide more detail?


0
BEST ANSWER: As chosen by the author.

It might. At least we would see the URLs and the request headers to check that the client really sends correct requests. Then we would "blame the server" :-)


0
BEST ANSWER: As chosen by the author.

Is there a better way for me to provide that and/or Content Server logs than linking them in this forum?

There could be somewhat sensitive data in the log files (server names and so on).


0
BEST ANSWER: As chosen by the author.

I think that you should open a support case with the OT customer support to get this analyzed further.


0
BEST ANSWER: As chosen by the author.

Ticket # 2317864 submitted


0
BEST ANSWER: As chosen by the author.

Did you try increasing your cookie timeout in CS?


0
BEST ANSWER: As chosen by the author.

Here is the response from support:

Hi Brandon,

Unfortunately Support is currently not equipped to handle REST API tickets and there has been an internal miscommunication about this.
Please continue to use the FORUM for troubleshooting this issue.

Regards,

James Cannell
Principal Technical Analyst
OpenText Support Team
For further information see
http://support.opentext.com

Louis, no I did not. I will take a closer look at that. However, these transactions occur in a number of seconds.


0
BEST ANSWER: As chosen by the author.

Hi Brandon,

I agree with both James and Louis. In general, 401 means that the token/cookie that you currently have is no longer usable. This is assuming that you have already authenticated. First thing is to increase the cookie settings like Louis suggested. Look in the admin.index pages, under 'Server Configuration > Security Settings', you will find several timeout settings. In your case, I would first set it to never expire. Once you have set the cookie to never expire, see if you can reproduce the issue.

The other possibility is that there is a time difference between your Server and Client. However, you will need to first verify if setting your cookie to never expire works.

Tegards,

Jerome


0
BEST ANSWER: As chosen by the author.

Is it possible that you paste the most important pieces of your code here, so that we could have a look at it?


0
BEST ANSWER: As chosen by the author.

I just checked our security settings. The only setting we have set to expire currently is "Log-in Cookie Expiration Date" and it is at 8 days. I don't think that is our problem here.

We have not been able to repro this problem using POSTMAN in Google Chrome. I really think it may be something we are doing in our code. I will see if I can post some of that as Ferdinand asked.


0
BEST ANSWER: As chosen by the author.

We're not comfortable displaying the complete code here, but here is a snippet of what we're doing and some pseudocode.. perhaps this will point us in the right direction:

'Setup Request
_httpWebRequest = DirectCast(WebRequest.Create(_url.ToString), HttpWebRequest)
With _httpWebRequest
    .Method = "POST"
    .KeepAlive = True
    .ContentType = "multipart/form-data; boundary=" + _strBoundary
    .Headers.Add("OTCSTICKET", strToken)
    .Accept = "*/*"
    .Credentials = New NetworkCredential(UserID, Password)
End With

'Then we setup the call with file the type, parent_id, name, filename, and file binary (this has been excluded for privacy matters)

'Get the Response
_webResponse = _httpWebRequest.GetResponse

0
BEST ANSWER: As chosen by the author.

You should first check if every request really contains the OTCSTicket header by some snoffer like Fiddler or Wireshark.

Do you need to set the .Credentials? The virtual directory behind the CS CGI URL should have the anonymous access enabled.

.Credentials = New NetworkCredential(UserID, Password)

The CS REST API does not support the Windows Authentication; you always need some authentication header supported by the llserver and not only by the web server. This is enough for the authorization:

.Headers.Add("OTCSTICKET", strToken)

If IIS evaluated the Windows Authentication and if it was unreliable, the IIS could respond wit the 401 instead passing the call to the llserver. But I speculate here and I am not sure if this would be possible.


0
BEST ANSWER: As chosen by the author.

Here is an example of what I have done with C# if you are using Internal CS Authentication:

       //example : http://<<server name>>:port/<<path>>/api/<<version>>/auth
        string contentURL = _BaseURL + "/api/" + _Version + "/auth";
        string payload =  "username=" + _username + "&password=" + _password;
        byte[] byteArray = Encoding.UTF8.GetBytes(payload);
        var request = (HttpWebRequest)HttpWebRequest.Create(contentURL);

        request.Method = "POST";            
        request.ContentType = "application/x-www-form-urlencoded";
        request.ContentLength = byteArray.Length;

        Console.WriteLine("Authenticating to " + _BaseURL);
        CookieContainer cookieContainer = new CookieContainer();
        request.Credentials = CredentialCache.DefaultCredentials;

        // send payload data to server
        using (var stream = request.GetRequestStream())
        {
            stream.Write(byteArray, 0, byteArray.Length);
        }

        //get HTTP response
        using (var response = (HttpWebResponse)request.GetResponse())
        {
            var responseValue = string.Empty;
            if (response.StatusCode != HttpStatusCode.OK)
            {
                var message = String.Format("Request failed. Received HTTP {0}", response.StatusCode);
                throw new ApplicationException(message);
            }

            // Grab token to use in next call
            String responseString = new StreamReader(response.GetResponseStream()).ReadToEnd();
            responseString = responseString.Trim('{', '}');
            string [] split = responseString.Split(':');
            _otsctoken = split[1].Trim('"');
        }

This is one of many methods that could be used to extract the token. There are more elagant ways to get the token once you recieve the response, but this does the jobs for the momment.


0
BEST ANSWER: As chosen by the author.

We turned on the passing of the windows auth string to try to fix the 401 errors. Previously we were only passing OTCSTICKET.

The OTCS directory (corresponds to cgi dir on the file system) is currently only set up with Windows Authentication enabled. Anonymous, ASP.NET and Forms are all disabled.

I turned on Anonymous authentication as you suggested, but that breaks single sign on for our users. Also, it does not appear to fix our 401 issues during REST calls.


0
BEST ANSWER: As chosen by the author.

Ferdinand or any other OpenText employee, do you have a private email address where I could just send you all of our code? I don't want to post it here but would be willing to share it privately.


0
BEST ANSWER: As chosen by the author.

Your authentication code does not handle the JSON response in general, but it should work well with the released CS. You should URL-encode the username and password. You do not need the CookieContainer; CS REST API uses no cookies.

If you need IWA on your current CS CGI URL, you should create other virtual directory with anonymous access for the REST API. The REST client may not always run in a Windows session. Then you would not need setting the request.Credential either.

Right now, I am not able to work on this more than occasionally posting to the forum. I am sorry. But before sharing more code, I would try to check if it is a client or server problem. Did you check the REST API requests by Fiddler or Wireshark that the OTCSTicket header is correctly transferred in every call?


0
BEST ANSWER: As chosen by the author.

We ended up figuring out there was an encoding problem in our app. OTCSTICKET values that included things like '' were causing issues.

We were able to confirm using another application that there was no OpenText problem.


0
BEST ANSWER: As chosen by the author.

Hi Jerome,
i trust you are doing wel. for one of the customer i need to use c#.net web services along with Restapi to populate categories metadata and upload document. do you have some sample for populating or fetching node categories…


0
BEST ANSWER: As chosen by the author.

Dear Kumar,

As this is a new question, could you please start a new thread for your question above? I am sure this will help to get an answer.

Many thanks!


 You have subscribed and will receive email notifications of updates to this topic. To unsubscribe, uncheck the checkbox.

Statistics

Related categories

Related tags

Your answer

To leave an answer, please sign in.