Login/Register
GET request works in browser, but I get Unauthorized when using Postman
Asked Answered
Solved c#httppostmanhttp-getdynamics-crm-2016
E

9

9

I am issuing a request via chrome: 

[org]/api/data/v8.1/accounts?$select=name,accountid&$top=3

and I get a reasonable response:

{
  "@odata.context":"[org]/api/data/v8.1/$metadata#accounts(name,accountid)","value":[
    {
      "@odata.etag":"W/\"769209\"","name":"Telco","accountid":"c6ed63e0-9664-e411-940d-00155d104b35"
    },{
      "@odata.etag":"W/\"752021\"","name":"Fourth Coffee","accountid":"d1eefc0a-3ebc-e611-80be-24be051ac8a1"
    },{
      "@odata.etag":"W/\"768036\"","name":"Fourth Coffee","accountid":"3cbb8d24-20bd-e611-80c0-24be051ac8a1"
    }
  ]
}

However, when attempting to do the same GET through postman, I am getting a 401 unauthorized!

I've tried with no headers at all, as well as basic auth:

Authorization:Basic Y2hybGFiXxxxxxxxxxxxxxcmQxMjM=

What am I doing wrong? Is there something I need to change within CRM to allow me to do GETs from postman?

The following are headers that Chrome uses (got this from DevTools):

  • Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
  • Accept-Encoding:gzip, deflate, sdch
  • Accept-Language:en-US,en;q=0.8
  • Authorization:Negotiate TlRMTVNTUAADAAAAGAAYAIoAAABkAWQBogAAAAwADABYAAAADgAOAGQAAAAYABgAcgAAABAAEAAGAgAAFYKI4gYBsR0AAAAPai35LURprYMgYVSwMQXi/2MAaAByAGwAYQBiAGEAZwBvAHIAZABvAG4ASABPAFUALQBXAFMALQBBAEcATwBSAEQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAd0avVN8acJQKvlSN8hYrSgEBAAAAAAAAoBg7uZi80gEIIthtN5clBAAAAAACAAYARABFAFYAAQAUAEIAQQBOAEMAUgBNADIAMAAxADYABAAcAGQAZQB2AC4AYwBoAHIAbABhAGIALgBpAG4AdAADADIAQgBBAE4AQwBSAE0AMgAwADEANgAuAGQAZQB2AC4AYwBoAHIAbABhAGIALgBpdddddddddddddddbABhAGIALgBpAG4AdAAHAAgAoBg7uZi80gEGAAQAAgAAAAgAMAAwAAAAAAAAAAEAAAAAIAAAccTLbO5YZuNnhdCDsjPCg1YXJuNv0XuASIhHrWWBg7kKABAAAAAAAAAAAAAAAAAAAAAAAAkAPABIAFQAVABQAC8AYgBhAG4AYwByAG0AMgAwADEANgAuAGQAZQB2AC4AYwBoAHIAbABhAGIALgBpAG4AdAAAAAAAAAAAAAAAAACtRrU1oDZ/XXRVVEUuj0yT
  • Cache-Control:max-age=0
  • Cookie:ReqClientId=42484e9a-f488-41a9-a016-1cd6e5820b3c
  • Host:myhost....
  • Proxy-Connection:keep-alive
  • Upgrade-Insecure-Requests:1
  • User-Agent:Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Mobile Safari/537.36
Eiderdown answered 23/4, 2017 at 23:17 Comment(9)
When you did the request via Chrome, did you use DevTools to see what the request actually contained? Headers, etcInurbane
@MariaInesParnisari please view updated question with that info. thank you very much for your helpEiderdown
When doing the request via postman, did you try adding a header with Authorization: Negotiate?Inurbane
just add the same exact header? same resultEiderdown
Did you add the cookie you see in the chrome request?Inurbane
i just pasted the entire thing into postmanEiderdown
Let us continue this discussion in chat.Eiderdown
I believe this is due to upgrade-insecure-requestsStereophotography
official document: learning.getpostman.com/docs/postman/sending_api_requests/…Zeralda
L
6

First, login into CRM and leave the tab sitting there.

Go into POSTMan

Enable the Interceptor (see image) interceptor

Enter the URL and hit SEND, just like that. POSTMan will take care of cookies and headers on its own, and you'll see the results.

If you logout from CRM, POSTMan will obviously no longer be able to issue the requests and will return 401 instead.

Looming answered 24/4, 2017 at 9:25 Comment(6)
do you mean to log into crm using the browser and use the postman plugin for the browser? or do you mean log into crm from postman standalone client?Eiderdown
I'd like to add that I have now moved from POSTMan to Boomerang because I like it better. Answer applies to that the same.Looming
i assure you, you'll be moving back to postman, it has 2500 questions on stackoverflow, whereas boomerang as 15Eiderdown
I constantly switch back and forth in search of better tools, so it might very well be. Not that it actually matters, as long as the job gets done with no hassle.Looming
what do you like more about boomerang?Eiderdown
here's how to set up the interceptor - learning.postman.com/docs/sending-requests/…Mulry
C
4

It seems like the server you are calling requires RFC 4559 (https://www.rfc-editor.org/rfc/rfc4559) authentication. More details here: https://en.wikipedia.org/wiki/SPNEGO.

The way it works in the case of a GET request from the browser:

  1. Browser requests the required page
  2. The server responds with HTTP 401 (Unauthorized) and provides a response header WWW-Authenticate: Negotiate. This tell the browser that RFC 4559 authentication is required.
  3. The browser makes sure the site has permissions for this action (details on configuration here: https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM). Most sites will not be allowed to request such authorization without being explicitly white-listed.
  4. If permitted, the browser requests a Kerboros ticket from the domain's Active Directory.
  5. Active Directory responds with a ticket.
  6. The browser forward the ticker to the server (via the Authotizarion: Negotiate xxxxx header that you see).
  7. The server interacts with the same Active Directory and turns that ticket into username and groups/permissions information.

I am not aware of a tool that will let you do this (simulate a browser) if you are trying to automate requests against the server (which is probably an internal/intranet company site). Your best course of action may be some form of scripting (like VBS) which will use IE via COM and possibly handle this authentication for you (I have not done this, so not sure if it will indeed work).

Curly answered 24/4, 2017 at 8:6 Comment(0)
E
1

You are trying to access from the postman chrome extension or through the postman( windows based) installed application on your system.Try to fetch the data from chrome extension.

Estranged answered 13/4, 2018 at 11:8 Comment(0)
A
1

I used the following steps and it was ok. Follow the steps, below:

  1. Open Google Chrome
  2. Install Postman Extention
  3. Install Postman's Interceptor Extention
  4. Open Postman Extention
  5. Use Sync
  6. Use Interceptor
Adventurer answered 11/9, 2019 at 20:57 Comment(0)
G
1

In my case in .NET project i had two different authentication schemes in my Startup.cs . I removed the older one and added its auth services and it worked.

Giulietta answered 24/5, 2022 at 22:55 Comment(0)
P
0

Try putting quotes around your url:

curl '[org]/api/data/v8.1/accounts?$select=name,accountid&$top=3'

The &, $, = etc. may be causing problems - I had the same problem and putting quotes was the resolution

Pinball answered 18/12, 2018 at 7:50 Comment(0)
S
0

These helped me.

  1. Check that it is NTLM authentication both in postman and in the page hosted it is checked.

  2. Use method post

  3. Username and password(which you have set and need not be the access key)

Strafe answered 22/10, 2019 at 5:25 Comment(1)
Code-only answers are considered low quality: make sure to provide an explanation what your code does and how it solves the problem. It will help the asker and future readers both if you can add more information in your post. See also Explaining entirely code-based answers: meta.stackexchange.com/questions/114762/…Joshuajoshuah
S
0

This solved my issue. In Postman, I copied the Access Token from Authorization tab and I have selected "No Auth" Type. Then, I moved to Headers tab, Under Headers section, I have provided new Key with Name "Authorization" and in the Value I have passed my TOKEN prefix with Bearer.See the below screenshot

Staphylorrhaphy answered 25/2, 2020 at 13:7 Comment(0)
C
-2

If request works from the browser, then no authentication was used.
So, in Postman, for Authentication, use No Auth. :-)

Church answered 10/4, 2020 at 18:47 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.