Not logged in. · Lost password · Register

All posts by darusdp (7)

topic: XML-RPC 401 Access Denied  in the forum: General Help and Support Installation and Configuration
Avatar
darusdp #1
Member since Jun 2019 · 7 posts
Group memberships: Members
Show profile · Link to this post
I believe this is the final resolution. Posted in case others wander to this forum with same issue.

Turns out that I didn't need a virtual site for anonymous authentication at all.

While I was passing in the -Body of the Invoke-WebRequest (iwr) a method call for dokuwiki.login parameters for username/password credentials the account I needed to use, it basically had no effect.

So I added -UseDefaultCredentials to the iwr call. This got me to login and getting pages with Windows Authentication. However wiki.put Page still not working with a 403 Forbidden Access.


Then I realized I was running PowerShell under a different account which as default creds truly didn't have write access to said page. Once I used the correct account to launch PowerShell, all was well.
topic: XML-RPC 401 Access Denied  in the forum: General Help and Support Installation and Configuration
Avatar
darusdp #2
Member since Jun 2019 · 7 posts
Group memberships: Members
Show profile · Link to this post
In reply to post ID 66494
Well not so fast. I thought all was well until I tried to do a wiki.putPage Colman’s. Now back to 401.2 access denied error.

My current thinking is this is because I’m using anonymous authentication and no write access.

I need to get Windows authentication working so that credentials I pass are used that have write access for the page.

Any help appreciated. Seems there has got to be an answer as PSDokuWiki likely had to be tested and worked for the author of that plugin. Again I think it’s more of an IIS, server side configuration and not Powershell script.

I’ve done the obvious of granting accounts access to website disk location.
topic: XML-RPC 401 Access Denied  in the forum: General Help and Support Installation and Configuration
Avatar
darusdp #3
Member since Jun 2019 · 7 posts
Group memberships: Members
Show profile · Link to this post
In reply to post ID 66459
The issue is because IIS can't have both Anonymous and Windows Authentication on the same website at the same time.

The solution is to make a virtual directory/application for XML-RPC to point to and set authentication mode to Anonymous.

Then used PowerShell DokuWiki (PSDokuWiki by AndyDLP on GitHub) scripts and I ran into and issue with the Internet Explorer engine not available or never had first time settings done or use -UseBasicParing in the Invoke-WebRequest call.

Searching Internet for fix to IE engine had two solutions. 1. -UseBasicParsing 2. Make Group Policy to deal with IE initial settings.

Solution #2 didn't work for me though others got it to.
http://wahlnetwork.com/2015/11/17/solving-the-first-launch…

I updated the PSDokuWiki scripts to have -UserBasicParsing when it calls Invoke-WebRequest. Only found 2 places (so far) where it is needed. In Connect-DokuServer.ps1 and the Invoke-DokuWikiApiCall.ps1

All is working now with these changes.
topic: XML-RPC 401 Access Denied  in the forum: General Help and Support Installation and Configuration
Avatar
darusdp #4
Member since Jun 2019 · 7 posts
Group memberships: Members
Show profile · Link to this post
In reply to post ID 66451
I get this message.
No connection.  Have you set the remote API config options?


However, if I set in IIS, Authentication for the DokuWiki site to Enable Anonymous Authentication both the XCOM test works and my Invoke-WebRequest works. The PSDokuWiki doesn't fully because it doesn't include the -UseBasicParsing switch. I could alter the code to include that but not good long-term.

Still, even though I got this to work, enabling Anonymous Authentication and still having Windows Authentication enabled cause wiki user to login. Before it would automatically "login" with the user Active Directory account they are using when they use a WebBrowser to the wiki.


Ideally, the AD SSO would still work and XML-RPC. Fixing one "breaks" the other. If you have other ideas of how to get both AD SSO and XML-RPC to work that would be much appreciated.
This post was edited on 2019-06-07, 14:44 by darusdp.
topic: XML-RPC 401 Access Denied  in the forum: General Help and Support Installation and Configuration
Avatar
darusdp #5
Member since Jun 2019 · 7 posts
Group memberships: Members
Show profile · Link to this post
In reply to post ID 66450
I'm not exactly sure what you mean by DokuWiki ACLs. However, said user can go to said page and read it and edit it and save it.

Also, RemoteUser - this is blank to allow all users
topic: XML-RPC 401 Access Denied  in the forum: General Help and Support Installation and Configuration
Avatar
darusdp #6
Member since Jun 2019 · 7 posts
Group memberships: Members
Show profile · Link to this post
In reply to post ID 66446
Subject: Additional Info
I ran powershell and command from the server the wiki is on and got more error message - below.

Invoke-WebRequest : 
 
 
IIS 10.0 Detailed Error - 401.2 - Unauthorized
 
  HTTP Error 401.2 - Unauthorized
  You are not authorized to view this page due to invalid authentication headers.
 
 Most likely causes:
       No authentication protocol (including anonymous) is selected in IIS.     Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.     Integrated authentication is enabled and the request was
sent through a proxy that changed the authentication headers before they reach the Web server.     The Web server is not configured for anonymous access and a required authorization header was not received.     The "configuration/system.webServer/authorization"
configuration section may be explicitly denying the user access. 
 
 
 Things you can try:
       Verify the authentication setting for the resource and then try requesting the resource using that authentication method.     Verify that the client browser supports Integrated authentication.     Verify that the request is not going through a proxy when
Integrated authentication is used.     Verify that the user is not explicitly denied access in the "configuration/system.webServer/authorization" configuration section.     Create a tracing rule to track failed requests for this HTTP status code. For more
information about creating a tracing rule for failed requests, click here.  
 
 
 Detailed Error Information:
   
    Module   IIS Web Core
    Notification   AuthenticateRequest
    Handler   PHP_via_FastCGI
    Error Code   0x80070005
  
    Requested URL   http://gruwikipre01:80/lib/exe/xmlrpc.php
    Physical Path   D:\dokuwiki\lib\exe\xmlrpc.php
    Logon Method   Not yet determined
    Logon User   Not yet determined
    
 
 More Information:
  This error occurs when the WWW-Authenticate header sent to the Web server is not supported by the server configuration. Check the authentication method for the resource, and verify which authentication method the client used. The error occurs when the
authentication methods are different. To determine which type of authentication the client is using, check the authentication settings for the client.
  View more information »
  Microsoft Knowledge Base Articles:
 907273253667
 
 
 
At line:1 char:17
+ ... pResponse = Invoke-WebRequest -Uri 'http://gruwikipre01/lib/exe/xmlrpc. ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
topic: XML-RPC 401 Access Denied  in the forum: General Help and Support Installation and Configuration
Avatar
darusdp #7
Member since Jun 2019 · 7 posts
Group memberships: Members
Show profile · Link to this post
Subject: XML-RPC 401 Access Denied
I'm trying to use DokuWiki XML-RPC API via the PowerShell DokuWiki module by AndyDLP and getting a 401 Access Denied no permission to the xmlrpc.php file due to invalid credentials.

The environment is:
W2K16 Server DataCenter VM
IIS 10.x
PHP 7.1
DokuWiki Release 2018-04-22a "Greebo"

Remote - Enable the remote API system. This is checked to Enable
RemoteUser - this is blank to allow all users

XML-RPC path: D:\dokuwiki\lib\exe
NTFS Permissions:
IUSR - Full control
SYSTEM - Full Control
NETWORK SERVICE - Full Control
Administrators - Full Control (this is the server's local account)
Users - Read,Execute,List (this is the server's local account)
{my domain username} - Full Control

The best I can tell IIS (and w3wp.exe) and PHP is using NETWORK SERVICE as its account. I verified this with PROCMON.

These PowerShell commands seem to work as expect, granted they are not suppose to do much. I used these as debugging to show that in some cases there is no access denied.

#Works with response of: XML-RPC server accepts POST requests only. This was expected.
$httpResponse = Invoke-WebRequest -Uri 'http://gruwikipre01/lib/exe/xmlrpc.php' -Method Post -UseBasicParsing -Credential $cred -SessionVariable WebSession

#Works with response of: XML-RPC server accepts POST requests only. This was expected.
$httpResponse = Invoke-WebRequest -Uri 'http://gruwikipre01/lib/exe/xmlrpc.php' -Method Post -Headers @{ "Content-Type" = "text/xml"; } -UseBasicParsing -Credential $cred -SessionVariable WebSession

#Works with response of: -32700, parse error. not well formed. This was expected.
$httpResponse = Invoke-WebRequest -Uri 'http://gruwikipre01/lib/exe/xmlrpc.php' -Method Post -Headers @{ "Content-Type" = "text/xml"; }  -Body "<?xml version=`"1.0`"?> " -UseBasicParsing -Credential $cred -SessionVariable WebSession

#Works with response of: -32603, Method does not exist. This was expected.
$httpResponse = Invoke-WebRequest -Uri 'http://gruwikipre01/lib/exe/xmlrpc.php' -Method Post -Headers @{ "Content-Type" = "text/xml"; }  -Body "<?xml version=`"1.0`"?><methodCall></methodCall>" -UseBasicParsing -Credential $cred -SessionVariable WebSession

#Works with response of current time.  This was expected.
$httpResponse = Invoke-WebRequest -Uri 'http://gruwikipre01/lib/exe/xmlrpc.php' -Method Post -Headers @{ "Content-Type" = "text/xml"; }  -Body "<?xml version=`"1.0`"?><methodCall><methodName>dokuwiki.getTime</methodName></methodCall>" -UseBasicParsing -Credential $cred -SessionVariable WebSession

#Works with response of: 2018-04-22a "Greebo". This was expected.
$httpResponse = Invoke-WebRequest -Uri 'http://gruwikipre01/lib/exe/xmlrpc.php' -Method Post -Headers @{ "Content-Type" = "text/xml"; }  -Body "<?xml version=`"1.0`"?><methodCall><methodName>dokuwiki.getVersion</methodName></methodCall>" -UseBasicParsing -Credential $cred -SessionVariable WebSession

The above indicates to me that access to D:\dokuwiki\lib\exe\xmlrpc.php is granted. I even modified that PHP file to have lines of code that positively proved that it was being executed.


Now, here is the command that fails.
#Does NOT work, 401 - Unauthorized: Access is denied due to invalid credentials.
#You do not have permission to view this directory or page using the credentials that you supplied.

$httpResponse = Invoke-WebRequest -Uri 'http://gruwikipre01/lib/exe/xmlrpc.php' -Method Post -Headers @{ "Content-Type" = "text/xml"; } -Body "<?xml version=`"1.0`"?><methodCall><methodName>dokuwiki.login</methodName><params><param><value><string>GRUWIKIPRE01\Administrator</string></value></param><param><value><string>EBh9UI5B9lORH</string></value></param></params></methodCall>" -UseBasicParsing -SessionVariable WebSession -ErrorAction Stop

I put code in XMLRPC.PHP to see if it even got to the file and it doesn't (access is denied).
I have used various username's with their password (that have NTFS file permission) with still access denied.


I can believe that it truly is access denied with credentials provided but I don't know why (since they were granted), nor how to fix the issue. Maybe access is being denied to some other file first.

However, PROCMON has only 1 line about file access, next.

11:03:12.2597442 AM    w3wp.exe    4920    FASTIO_NETWORK_QUERY_OPEN    D:\dokuwiki\lib\exe\xmlrpc.php    SUCCESS    CreationTime: 10/17/2017 10:14:28 AM, LastAccessTime: 10/17/2017 10:14:28 AM, LastWriteTime: 6/5/2019 12:57:39 PM, ChangeTime: 6/5/2019 6:36:14 PM, AllocationSize: 4,096, EndOfFile: 1,947, FileAttributes: A

PROCMON Event Properties for the Process (some details omitted because I doubt they are relevant):
Command Line: c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipm2173ae5d-9f06-4a98-8a82-929cc8d97cb1 -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 -ta 0

PID: 4920

User: NT AUTHORITY\NETWORK SERVICE

Auth ID: 00000000:000003e4



Maybe there is some IIS or PHP or ??? configuration that is causing access denied. I don't know much about configuring at HTTP server.


You will notice that I'm not using the AndyDLP PSDokuWiki commands (they don't work either). I'm using the Invoke-WebRequest that this command 'Connect-DokuServer -ComputerName 'gruwikipre01' -Credential $cred' builds


So it's not an issue with PSSDokuWiki. I don't think it is a PowerShell Invoke-WebRequest cmdlet issue. But something on the server side.


Any help appreciated. Response with what other info may be needed.

Also, any aid (in detail) on how a web request from a client is processed by IIS and sent to PHP and eventually to xmlrpc.php. Maybe that will lead to where the issue is being caused.


Thanks, Dave
This post was edited on 2019-06-06, 19:38 by darusdp.
Close Smaller – Larger + Reply to this post:
Special characters:
Special queries
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-10-16, 07:04:11 (UTC +02:00)