Authentication for Protocol Integration always gives 401 Unauthorized

I’m at the very beginning of a proof of concept for integrating MileStone into our other systems. right now I’m simply trying to get token via Postman using the instruction here: https://doc.developer.milestonesys.com/html/reference/protocols/imageserver_getdevices.html

I have found a few other questions that seem to be the same as mine but none have solved my issue. My initial thought is that I need to give my admin account API access but I have not found anything that would suggest that needs to be done or any place to add it.

Other questions that didn’t help me:

https://developer.milestonesys.com/s/question/0D53X00006YUsODSA1/protocol-integration-method-cannot-authenticate-using-soap-401-unauthorized-error

https://developer.milestonesys.com/s/question/0D53X00007MlWDMSA3/when-i-try-to-login-with-protocol-integration-it-gets-401-unauthorization-error

https://developer.milestonesys.com/s/question/0D50O00004BExHpSAL/cant-login-via-protocol-integration-with-basic-authentication

https://developer.milestonesys.com/s/question/0D53X00005yQ7IzSAK/i-cant-use-protocol-integration-to-get-information

Call details:

POST https://{server}/ManagementServer/ServerCommandService.svc (and https://{server}/ServerAPI/ServerCommandService.asmx I tried both)

Headers:

Content-Type: application/xml; charset=utf-8’

SOAPAction: http://videoos.net/2/XProtectCSServerCommand/Login’

Authorization: Basic *****

Body:

<soap:Envelope xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns:xsd=“http://www.w3.org/2001/XMLSchema”

xmlns:soap=“http://schemas.xmlsoap.org/soap/envelope/”>

soap:Body

<Login xmlns="[http://videoos.net/2/XProtectCSServerCommand](http://videoos.net/2/XProtectCSServerCommand)">

  <instanceId>12345</instanceId>

</Login>

</soap:Body>

</soap:Envelope>

Response:

Body:

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>

<style type="text/css">

    <!--

    body {

        margin: 0;

        font-size: .7em;

        font-family: Verdana, Arial, Helvetica, sans-serif;

        background: [#EEEEEE](javascript:void\(0\); "#EEEEEE");

    }

    fieldset {

        padding: 0 15px 10px 15px;

    }

    h1 {

        font-size: 2.4em;

        margin: 0;

        color: [#FFF](javascript:void\(0\); "#FFF");

    }

    h2 {

        font-size: 1.7em;

        margin: 0;

        color: [#CC0000](javascript:void\(0\); "#CC0000");

    }

    h3 {

        font-size: 1.2em;

        margin: 10px 0 0 0;

        color: #000000;

    }

    [#header](javascript:void\(0\); "#header") {

        width: 96%;

        margin: 0 0 0 0;

        padding: 6px 2% 6px 2%;

        font-family: "trebuchet MS", Verdana, sans-serif;

        color: [#FFF](javascript:void\(0\); "#FFF");

        background-color: #555555;

    }

    [#content](javascript:void\(0\); "#content") {

        margin: 0 0 0 2%;

        position: relative;

    }

    .content-container {

        background: [#FFF](javascript:void\(0\); "#FFF");

        width: 96%;

        margin-top: 8px;

        padding: 10px;

        position: relative;

    }

    -->

</style>

<div id="header">

    <h1>Server Error</h1>

</div>

<div id="content">

    <div class="content-container">

        <fieldset>

            <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>

            <h3>You do not have permission to view this directory or page using the credentials that you supplied.

            </h3>

        </fieldset>

    </div>

</div>

Are you using Basic user or Windows AD user?

You might already read following article, but let me introduce them:

Introduction to Soap Protocols

https://doc.developer.milestonesys.com/html/index.html?base=gettingstarted/intro_soap_protocols.html&tree=tree_3.html

Authenticate, login, and register

https://doc.developer.milestonesys.com/html/index.html?base=reference/protocols/imageserver_authenticate.html&tree=tree_3.html

I’m using an AD user. Right now, for testing, just my personal account but I’ll be using a service account when I get everything together. I’ve read both of those pages but I don’t see what I’m missing from getting some kind of basic call completed.

I have having the exact same issue. Getting 401 unauthorized error using postman and using a Java Soap Client as well. Tried both "Basic user as well as Windows AD user". I have created a basic user “admin” and tried using both admin as well as Windows AD user “WINXXX-SERV\Administrator”.. But always getting 401 unauthorized..

@Rie Kiuchi (Milestone Systems)​ Any suggestions on how to debug the issue or see whats going on ?

I just implemented it in java today to see if it’s just postman but no dice. Interestingly it seems like it’s only half working in the C# example they provided as well. When I attempt connecting with basic auth it just fails, but if I connect with windows auth it seems to work fine. I’m trying to decipher the C# code but it’s taking a while as I’ve never actually coded in that language before.

Can you please try to use Basic user? Because in your question post, you wrote that “Authorization: Basic *****”.

I’m not sure what you mean by this. What is a basic user?

Basic users, authenticated by a user name/password combination. Please see this link -

https://www.milestonesys.com/globalassets/techcomm/2018-r2/advvms/english-united-states/index.htm?toc.htm?56300.htm

it was not clear to me that “Basic user” meant the user had to be within MileStone and could not be an AD/LDAP user. I was under the impression that I could use basic auth with LDAP as I have done that with many other integrations.

Hi All, I have been able to authenticate using Basic User using POSTMAN. Here are the steps I have used.

1. I used https for Basic User. The POST link i used is https:///ManagementServer/ServerCommandService.svc
2. In Authorization Tab, Select Type as Basic Auth and enter basic user and password. Make sure to create a basic user as @Rie Kiuchi (Milestone Systems)​ points out in the link above.
3. In Headers Tab, Change “Content-Type” to ''text/xml; charset=utf8". Add a new header “SoapAction” with value “http://videoos.net/2/XProtectCSServerCommand/IServerCommandService/Login”
4. Go to Body Tab, select “raw” and select “XML” from the last drop down.
5. Add the following content in the body:

<soapenv:Envelope xmlns:soapenv=“http://schemas.xmlsoap.org/soap/envelope/” xmlns:xpr=“http://videoos.net/2/XProtectCSServerCommand”>

soapenv:Header/

soapenv:Body

  <xpr:Login>

     <!--Optional:-->

     <xpr:instanceId>DDE4BA55-808E-479F-BE8B-72F69913442F</xpr:instanceId>

     <!--Optional:-->

     <!--<xpr:currentToken>?</xpr:currentToken> -->

  </xpr:Login>

</soapenv:Body>

</soapenv:Envelope>

*Use a guid in instanceId field, and ignore the currentToken field. Once the request is submitted, you will get a currentToken as a response which can be used in subsequent requests.

The SoapUI Login message format for “ManagementServer/ServerCommandService.svc” is not explained properly in the documentation. I was able to get the format using SoapUI (https://www.soapui.org/) , by creating a new project and giving the wsdl path (https:///ManagementServer/ServerCommandService.svc?wsdl) which generated sample request and service endpoints. Recommend to use it as it details every possible request available in the service endpoint.

I was able to follow this. I was on the path to making a local user (basic user) but for some reason, I had the wrong value for 'SOAPAction" so this helped me without needing to find where I got the info wrong.

It’s unfortunate that MileStone, a security company, only supports relatively weak forms for authentication. Now we have to figure out how to manage the credentials of this service account within MileStone. Ideally, they would integrate with 3rd party auth systems like Octa, or at least LDAP. NTLM is so insecure that we cannot use it, even if I could it doesn’t integrate well with JAVA. Basic Auth is better but we have to manage key rotation and the account is in MileStone, not in a unified location.

Thank you for your feedback. Milestone Development is working on more secure authentication on VMS, keep following the news from Milestone.