KACE API Access - No CSRF Token
Hi,
I am trying to access my KACE instance API for scripting purposes (such as getting a list of all our device/software/...). I'm using this page https://support.quest.com/technical-documents/kace-systems-management-appliance/12.0%20common%20documents/api-reference-guide to help me however here is my situation :
A "POST" with my username/password to http://myKACE/ams/shared/api/security/login returns HTTP 200 with the following headers : X-Kace-Authorization, X-Kace-Appliance, X-Kace-Esmp-Performance. But no "X-Kace-CSRF-Token" ! However the X-Kace-Authorization seems very promising as it contains an authentication method ("Bearer") and token... I guess I might use this for further requests but I have no information as of how I should do it.
Here are examples of responses I get with further calls :
- /api/accounts ==> 401 Unauthorized / The request has not been authenticated. Allowed secure types for the resource are: ''.
- /api/inventory/machines ==> 500 Internal Server Error / No route found for \"GET /inventory/machines\"
Could you help me with this issue ? My KACE server version is 12.1.169, without MFA.
Answers (4)
Top Answer
Hi @SeRil,
I think the latest versions of the SMA utilizes JWT authentication method. Thus, you will see 'x-kace-authorization' in the header containing the bearer token. For authentication, try this:
- POST request to http://mykace/ams/shared/api/security/login with username and password (ensure 'Mobile Device Access' is enabled for designated/service user, Settings > Users )
Retrieve responded header ['x-kace-authorization'] and cookies. Cookies should contain your logged session and kbox info. These are required and to be included for subsequent API calls. - Try GET request to http://mykace/api/users/users/
Good luck as I think this is sufficient for you to start!
What programing language are you using to make the API calls?
Or are you using Postman?
Hi ! I am using Powershell, but also a "manual" REST client called Boomerang (Chrome Extension), similar to Postman.
Thank you so much for your answer, it was a huge help!
I managed to re-use the cookies, and actually got data with :
- http://mykace/api/users (but not with http://mykace/api/users/users)
- http://mykace/api/machines (but not with http://mykace/api/inventory/machines)
The most problematic part is that "api/machines" is indeed returning a list of machines, but I have no documentation on how to handle those. I tried following the same rules as for the theoretical "/api/inventory/machines" (from https://support.quest.com/de-de/technical-documents/kace-systems-management-appliance/12.0%20common%20documents/api-reference-guide#TOPIC-1681523), but it doesn't work the same : with "/api/machines", I can't use filters, nor append a "/{id}", it just keeps returning the same array.
The API version returned is "16". Is there any reference guide to help me somewhere ?
Comments:
-
OK eventually a colleague of mine rolled v13 of KACE, and here I realized that I need to add a "x-kace-api-version" header to get results. The number in this header can be anything (even tried with ridiculously high numbers, it worked), but you can't enter "latest" (needs to be a number I guess).
So everything is now working fine for me, thanks @Unsullied for your precious help. - SeRil 1 month ago-
Kudos, glad to hear that - Unsullied 1 month ago