Web Service Connector with Basic Authentication

Configure the ScriptRunner Web Service Connector with Basic Authentication

Please note that an administrative PowerShell console at the ScriptRunner Service host is required to run the cmdlets.

For third party systems that don’t support Windows integrated authentication via NTLM or Kerberos, the ScriptRunner Web Service Connector can also be addressed with Basic Authentication

Since Basic Authentication transmits user names and passwords in plain text with every request, it should always be regarded as insecure and avoided if possible.

For the Web Service Connector, only individual requests are usually sent; if the client side is not a browser application, risks of the Basic Authentication Protocol such as Cross-Site Request Forgery (CSRF) may not occur in this use case.

The plaintext passwords must be secured via HTTPS, this requires a server certificate for the ScriptRunner host. 

  • The Basic Authentication login is made with an Active Directory Account (Service Account).
  • The ScriptRunner service checks on every request against the domain, whether a) this account is present in the domain and b) the transferred password is correct.
  • The password is not stored in ScriptRunner.
  • Each account requires a separate ScriptRunner user license to use Basic Authentication.
  • We suggest consistently using the spelling DOMAIN\username (login name in AD in lower case; login in third system with domain name), because changing spellings can produce multiple license entries.

Configure Basic Authentication access on the ScriptRunner host 

The basic access to the ScriptRunner service is set up on the ScriptRunner host.

For access via HTTPS, a compatible SSL Server certificate must be installed in the Windows certificate store of the ScriptRunner Host.

If the ScriptRunner service is runs under the machine account, this is the certificate store of the machine (in PowerShell: Cert:\LocalMachine\My, in the MMC: Certificates [Local Computer]\Personal\Certificates).

To set the STS access port of the ScriptRunner service to Basic Authentication with HTTPS, use the Set-AsrSTSOptions Cmdlet (ScriptRunnerSettings PowerShell module).

Example

Set-AsrSTSOptions -AuthMode WINBasic -LocalPort 8092 -SSLCertThumbprint 'a909502dd82ae41433e6f83886b00d4277a32a7b'

In this example, 8092 is the IP port that the third party system should address with
Basic Authentication, and a909502dd82ae41433e6f83886b00d4277a32a7b is the fingerprint (fingerprint, thumbprint) of the certificate, without spaces or separators.

The fingerprint of the installed certificate can be determined with the command
dir Cert:\LocalMachine\My.

In the MMC, this value is also specified, but with spaces and sometimes with non-visible separators that can cause errors in the cmdlet.  

Configure the Web Service Connector

The configuration of the Web Service Connector is done in the ScriptRunner AdminApp.
The best practice for Basic Authentication is the configuration of a delegation with which the executable actions of this access can be reduced exactly to the use cases of the third system.

When configuring the delegation for Basic Authentication, the following entries are required, in difference to the normal, Windows-integrated logon:

  • Authorization Method = Claims-based indentity
  • Claim-Type = ScriptRunner-WebServiceConnector-Claim
  • Claim Value = The user name (DOMAIN\username) as specified by the third-party system

The delegation via AD groups is not possible for Basic Authentication, because ScriptRunner only checks the validity of the account for each request and not the group memberships in the AD. For each Basic Authentication access account, a separate delegation and a separate Web service connector must be configured.

Error analysis

ScriptRunner returns Errors during logon, during the authorization check in the Web Service Connector, or when the action is started, as an HTTP error with an extended error description (for example, 401 unauthorized, 403 forbidden, 404 not found, 400 bad request).

Such errors can also be traced using web tools such as Fiddler (on the third-party system) or in the ScriptRunner Log (C:\ProgramData\ScriptRunner\Service\Local\Log).

 

More information can be found here:
Connector Settings
Security Token Service settings

This page has been automatically translated and may contain grammatical errors or inaccuracies