Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

GET request works in browser, but I get Unauthorized when using Postman

I am issuing a request via chrome:

[org]/api/data/v8.1/accounts?$select=name,accountid&$top=3

and I get a reasonable response:

{
  "@odata.context":"[org]/api/data/v8.1/$metadata#accounts(name,accountid)","value":[
    {
      "@odata.etag":"W/\"769209\"","name":"Telco","accountid":"c6ed63e0-9664-e411-940d-00155d104b35"
    },{
      "@odata.etag":"W/\"752021\"","name":"Fourth Coffee","accountid":"d1eefc0a-3ebc-e611-80be-24be051ac8a1"
    },{
      "@odata.etag":"W/\"768036\"","name":"Fourth Coffee","accountid":"3cbb8d24-20bd-e611-80c0-24be051ac8a1"
    }
  ]
}

However, when attempting to do the same GET through postman, I am getting a 401 unauthorized!

I've tried with no headers at all, as well as basic auth:

Authorization:Basic Y2hybGFiXxxxxxxxxxxxxxcmQxMjM=

What am I doing wrong? Is there something I need to change within CRM to allow me to do GETs from postman?

The following are headers that Chrome uses (got this from DevTools):

  • Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
  • Accept-Encoding:gzip, deflate, sdch
  • Accept-Language:en-US,en;q=0.8
  • Authorization:Negotiate TlRMTVNTUAADAAAAGAAYAIoAAABkAWQBogAAAAwADABYAAAADgAOAGQAAAAYABgAcgAAABAAEAAGAgAAFYKI4gYBsR0AAAAPai35LURprYMgYVSwMQXi/2MAaAByAGwAYQBiAGEAZwBvAHIAZABvAG4ASABPAFUALQBXAFMALQBBAEcATwBSAEQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAd0avVN8acJQKvlSN8hYrSgEBAAAAAAAAoBg7uZi80gEIIthtN5clBAAAAAACAAYARABFAFYAAQAUAEIAQQBOAEMAUgBNADIAMAAxADYABAAcAGQAZQB2AC4AYwBoAHIAbABhAGIALgBpAG4AdAADADIAQgBBAE4AQwBSAE0AMgAwADEANgAuAGQAZQB2AC4AYwBoAHIAbABhAGIALgBpdddddddddddddddbABhAGIALgBpAG4AdAAHAAgAoBg7uZi80gEGAAQAAgAAAAgAMAAwAAAAAAAAAAEAAAAAIAAAccTLbO5YZuNnhdCDsjPCg1YXJuNv0XuASIhHrWWBg7kKABAAAAAAAAAAAAAAAAAAAAAAAAkAPABIAFQAVABQAC8AYgBhAG4AYwByAG0AMgAwADEANgAuAGQAZQB2AC4AYwBoAHIAbABhAGIALgBpAG4AdAAAAAAAAAAAAAAAAACtRrU1oDZ/XXRVVEUuj0yT
  • Cache-Control:max-age=0
  • Cookie:ReqClientId=42484e9a-f488-41a9-a016-1cd6e5820b3c
  • Host:myhost....
  • Proxy-Connection:keep-alive
  • Upgrade-Insecure-Requests:1
  • User-Agent:Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Mobile Safari/537.36
like image 803
Alex Gordon Avatar asked Apr 23 '17 23:04

Alex Gordon


People also ask

How do you fix unauthorized error in Postman?

Make sure that the URL is typed correctly. Verify the API documentation of the service you are trying to reach and make sure you have selected the right authorization type in Postman. Visit the service provider's page and look for a Sign in link. Enter your credentials and then try the page again.

Why do I get 401 unauthorized in Postman?

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource.

How do I enable authorization on my Postman?

Step 1 − Click on the three dots beside the Collection name in Postman and select the option Edit. Step 2 − The EDIT COLLECTION pop-up comes up. Move to the Authorization tab and then select any option from the TYPE dropdown. Click on Update.


5 Answers

First, login into CRM and leave the tab sitting there.

Go into POSTMan

Enable the Interceptor (see image) interceptor

Enter the URL and hit SEND, just like that. POSTMan will take care of cookies and headers on its own, and you'll see the results.

If you logout from CRM, POSTMan will obviously no longer be able to issue the requests and will return 401 instead.

like image 180
Alex Avatar answered Oct 19 '22 09:10

Alex


It seems like the server you are calling requires RFC 4559 (https://www.rfc-editor.org/rfc/rfc4559) authentication. More details here: https://en.wikipedia.org/wiki/SPNEGO.

The way it works in the case of a GET request from the browser:

  1. Browser requests the required page
  2. The server responds with HTTP 401 (Unauthorized) and provides a response header WWW-Authenticate: Negotiate. This tell the browser that RFC 4559 authentication is required.
  3. The browser makes sure the site has permissions for this action (details on configuration here: https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM). Most sites will not be allowed to request such authorization without being explicitly white-listed.
  4. If permitted, the browser requests a Kerboros ticket from the domain's Active Directory.
  5. Active Directory responds with a ticket.
  6. The browser forward the ticker to the server (via the Authotizarion: Negotiate xxxxx header that you see).
  7. The server interacts with the same Active Directory and turns that ticket into username and groups/permissions information.

I am not aware of a tool that will let you do this (simulate a browser) if you are trying to automate requests against the server (which is probably an internal/intranet company site). Your best course of action may be some form of scripting (like VBS) which will use IE via COM and possibly handle this authentication for you (I have not done this, so not sure if it will indeed work).

like image 21
xpa1492 Avatar answered Oct 19 '22 10:10

xpa1492


You are trying to access from the postman chrome extension or through the postman( windows based) installed application on your system.Try to fetch the data from chrome extension.

like image 21
kothari Avatar answered Oct 19 '22 09:10

kothari


I used the following steps and it was ok. Follow the steps, below:

  1. Open Google Chrome
  2. Install Postman Extention
  3. Install Postman's Interceptor Extention
  4. Open Postman Extention
  5. Use Sync
  6. Use Interceptor
like image 21
CodeSlave Avatar answered Oct 19 '22 09:10

CodeSlave


In my case in .NET project i had two different authentication schemes in my Startup.cs . I removed the older one and added its auth services and it worked.

like image 36
gourav m Avatar answered Oct 19 '22 09:10

gourav m