401 (Unauthorized) on API with Adminsitrator AppToken

[claudiospizzi]

Describe the Issue

The API always returns with a 401 (Unauthorized) for any request with an administrator role key.

To Reproduce

Steps to reproduce the behavior:

1. Start the Universal Automation hosted in IIS (see script sample)
2. Grant AppToken to a new identity (first one)
3. Invoke any query on the api

Expected behavior

All calls to the api should work with the AppToken.

Script Sample

# Hosted in IIS
$uaServerSplat = @{
    ConnectionString    = 'C:\PathToDatabase\database.db'
    RepositoryPath      = 'C:\PathToRepository'
    GitRemote           = 'https://remote/repo.git'
    GitRemoteCredential = $cred
    JwtSigningKey       = 'some-very-long-key'
    JwtAudience         = 'Universal Automation'
    JwtIssuer           = 'Company'
    InProcess           = $true
}
Start-UAServer @uaServerSplat

# Local PowerShell session or in UD hosted in IIS
$appToken = Grant-UAAppToken -ComputerName 'https://powershell-api.company.local' -IdentityName 'admin' -Role (Get-UARole -ComputerName 'https://powershell-api.company.local' -Name 'Administrator')

# Now this one will throw a 401
Get-UALicense -ComputerName 'https://powershell-api.company.local' -AppToken $appToken.Token

Version Information

• Host Operating System: WS2016
• Host PowerShell Version: 5.1
• Universal Automation Version: 1.0.1
• Universal Dashboard Version: 2.9.0
• UA/UD Hosting Method: IIS

[adamdriscoll]

Seeing the same thing. I'll get to the bottom of it and let you know.

[adamdriscoll]

This has been resolved in the latest 1.1.1 build. I think we'll be releasing a new build to the gallery later this week. I will post a nightly build for you to try tomorrow morning my time.

[adamdriscoll]

Alright. This kit is working for me in IIS. Please give that a shot. Make sure to use Unblock-File to ensure that PS will load this module. https://send.firefox.com/download/fe490bf4d8de7c4e/#FHJmHYrddP77Wt1NN3St7g

[claudiospizzi]

I've tried it with the version 1.1.1. When I start the UA server, the following message is written to the log while I invoke the first request - I get a 500 error. But after a few seconds, trying the same request again, the UA server is working as expected: (By the way, I'm pretty sure, no one else is using the file, checked with procexp.exe)

2020-03-18 04:05:06 [WARN]  (Hangfire.AutomaticRetryAttribute) Failed to process the job '3fbfe02f-be82-4b6f-87b9-0fec777f3ba5': an exception occurred. Retry attempt 1 of 10 will be performed in 00:00:16.
System.IO.IOException
The process cannot access the file 'C:\ProgramData\PSAutomation\Database\database.db' because it is being used by another process.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
   at LiteDB.FileDiskService.CreateFileStream(String path, FileMode mode, FileAccess access, FileShare share)
   at LiteDB.FileDiskService.Initialize(Logger log, String password)
   at LiteDB.LiteEngine..ctor(IDiskService disk, String password, Nullable`1 timeout, Int32 cacheSize, Logger log, Boolean utcDate)
   at LiteDB.LiteDatabase.<>c__DisplayClass11_0.<.ctor>b__0()
   at LiteDB.LazyLoad`1.get_Value()
   at LiteDB.LiteCollection`1.<Find>d__17.MoveNext()
   at LiteDB.LiteQueryable`1.<ToEnumerable>d__21.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at UniversalAutomation.LiteDBTable`1.Get()
   at UniversalAutomation.JobScheduler.Schedule()

Now while trying to import the UniversalAutomation.Dashboard with version 1.1.1, I get the following error:

Can you check that?

[adamdriscoll]

I'm seeing that error on startup as well. Mine also starts working after it shows that but I'm trying to get to the bottom of why that is happening.

UniversalAutomation.Dashboard has a version of UD packaged into it. Can you skip the step where you import UD 2.9?

Sorry, that wasn't clear.

[claudiospizzi]

Ok. I've now switched from the New-UADashboard (1.0.1) to the Start-UADashboard (1.1.1) command. If I start the UA server, I still have the System.IO.IOException first but then it works, as long as no token is created.

Now I get still a 401, as soon as I've created the first app token:

I can't see any additional errors in the logs.

I will verify my script later again step by step, without IIS, to reproduce the issue.

[adamdriscoll]

Hmmm ok. If you are still stuck, let's jump on a Zoom call together and see if we can get it going.

[claudiospizzi]

@adamdriscoll As discussed in the call, my issue was by using the Jwt configuration. By removing the 3 Jwt configurations, it works.