I need to login to the Management Server to get a token, which I’ll then use inside as token and eventually get images between two points in time via this (I think) https://doc.developer.milestonesys.com/html/reference/protocols/imageserver_request_response.html
The problem is the first step: authentication with XProtect to get the token.
The remote server is using Node.js and trying to authenticate with XProtect.
I’ve tried both Windows and Basic authentication, but to no avail.
A few things to note:
The token to be used inside the Image Server request’s cannot be fetched from the Image Server itself. Rather, you have to get it from the Management Server running not on port 7563 but port 80/443.
This is not clearly or even implicitly mentioned, neither here nor here.
I only learned this after taking a look at two Protocol samples that come with the SDK.
After being stuck for days, I learned that Basic authentication is somehow different depending on XProtect version and there’s a distinction between C-code and other servers (still unclear about this).
Then, after some more digging, this page is apparently implying that Basic users cannot connect without SSL?
I’ve also taken a look at two Protocol samples (LoginDotNetSoap & TcpVideoViewer), and I’m sorry but they are very unclear about what’s actually going on under the hood. This is especially true for a non-C# developer. A lot of libraries, levels of indirection are being used and the “raw” connection details are not very visible, thus just by looking at that C# code I’ve failed to translate to JS.
Also tried different values for the SOAPAction header. I’ve written various forms of this using some Node.js HTTP packages like axios, request etc.
The doc says to use text/xml. This never worked as I kept getting a 415, it asked me to application/soap+xml instead. Again, didn’t find this in the docs.
const firstLoginSoapBody = `<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><Login xmlns="http://videoos.net/2/XProtectCSServerCommand"><instanceId>${instanceIdUuid}</instanceId><currentToken></currentToken></Login></soap:Body></soap:Envelope>`.replace('\n', '').replace('\r', '') + '\r\n\r\n'
const loginSoapFullData2 = `
POST /ManagementServer/ServerCommandService.svc HTTP/1.1
Host: whatever.com
Content-Type: application/soap+xml; charset=utf-8
Authorization: ${basicAuthToken}
Content-Length: ${firstLoginSoapBody.length}
SOAPAction: http://videoos.net/2/XProtectCSServerCommand/IServerCommandService/Login
Connection: close\r\n\r\n` +
firstLoginSoapBody
console.log('REQUEST BODY: \n\n', loginSoapFullData2)
const client = new net.Socket()
client.setTimeout(10000)
client.setKeepAlive(true)
client.connect(80, host, () => {
console.log('Connected')
client.write(loginSoapFullData2, () => {
//client.end()
//resolve()
})
})
client.on("data", (b) => console.log('RESPONSE DATA: \n\n', b.toString()))
client.on('error', (err) => console.error(err, 'Could not TCP connect'))
client.on("timeout", () => console.error('Timeout'))
Right now this code results in a 400 (Invalid host name) even if I run it locally on the same machine as the VMS, though the XML documentation via wsdl is still working. With other variations I’ve also received 401 Invalid credentials, 415 etc responses.
The basic auth token used in Authorization is I guess not supposed to work of course, so I’m expecting a 401.
I’ve read up a bit on NTLM and Kerberos authentication schemes, and they require multiple requests to different servers (like TGS)…the doc apparently says to use just this one POST request and it just says “Authorization: {autogenerated by HTTP library or class applied}”, without specifying how this value is supposed to be generated. The samples don’t clarify this either.
I’ve seen other similar questions regarding authentication issues, especially with other languages. And often it’s been suggested to review the C# samples, which again are not very helpful to a non-C# developer. And the whole point of the Protocol integration is to remove the dependency on C#/.NET/Windows.
It’s also been asked to use Wireshark to view the traffic and figure out what’s going on. Again, I’m sorry but this doesn’t seem like a reasonable suggestion. The documentation should be written and organized more clearly, and mention all variations of different APIs without presuming that the developer will be using the same code as the C# samples.
I would really appreciate it if someone could please help, with specific instructions. Ideally, at this point, how to use NTLM or Kerberos schemes to get a token from XProtect that can then be used to get images from Image Server.
(Assuming to work with Essentials+ but something that would extend to all versions of the product)
It’s strange that authenticating with Analytics MAD is not difficult at all, I’ve been using that successfully for a long time. It requires Basic HTTP authentication and just works.