401 Unauthorized to access PAPI - Isilon array discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2025 03:19 PM
Hi Everyone,
We are trying to discover Isilon devices but we are getting errors in the pattern, sample below
HTTP request failed for credential with username: <username> - status: 401 - body:
<html> <head> <title>401 Unauthorized to access PAPI.</title> </head>
I did see this KB article Invalid username/password error during EMC Isilon discovery - Support and Troubleshooting which mentioned the needed credentials and access for the account and we were able to validate that the active directory account we are using is included on the group with the privileges below
- ISI_PRIV_LOGIN_PAPI
- ISI_PRIV_AUTH
- ISI_PRIV_DEVICES
- ISI_PRIV_NETWORK
- ISI_PRIV_NFS
- ISI_PRIV_SMARTPOOLS
- ISI_PRIV_SMB
How will we able to check if the accounts have rest capabilities for isilon as mentioned below and what could still be the issue
- "https://" + $host + ":8080/platform/3/cluster/config”
- "https://" + $host + ":8080/platform/3/network/interfaces”
- "https://" + $host_ip + ":8080/platform/3/cluster/nodes/”
- “https://” + $host + ":8080/platform/3/zones”
- "https://" + $host + ":8080/platform/3/network/pools”
- "https://" + host_ip + ":8080/platform/3/cluster/nodes/”
- "https://" + $host + ":8080/platform/3/storagepool/nodepools”
- "https://" + $host + ":8080/platform/3/storagepool/storagepools”
- "https://" + $host + ":8080/platform/3/protocols/nfs/exports”
- "https://" + $host + ":8080/platform/3/protocols/smb/shares"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2025 08:13 AM
Hi @edosky ,
As per my understanding your Issue Recap is
You’re receiving:
HTTP request failed for credential with username: <username> - status: 401
Despite having confirmed the AD account is part of the required Isilon privilege groups like:
* ISI_PRIV_LOGIN_PAPI
* ISI_PRIV_AUTH
* ISI_PRIV_DEVICES
But REST calls to endpoints like:
https://<host>:8080/platform/3/cluster/config
still return unauthorized.
Root Cause Analysis & Fix Strategy
1. Double-check Credential Format & Method
Even if the account is valid, Isilon often expects Basic Auth with REST API tokens or Kerberos/AD SSO depending on how your cluster is configured.
Confirm:
* The credentials you're using are Local or AD credentials and support REST API (PAPI) access.
* The user must explicitly be allowed API access, not just UI login.
2. Confirm API Access Using CURL (Outside ServiceNow)
Run the following from a jump box or MID Server:
curl -u <username>:<password> -k https://<host>:8080/platform/3/cluster/config
* If you still get 401: the account doesn’t have actual API access, or Isilon isn’t accepting that credential format for PAPI.
* If it works: Then the problem is within ServiceNow Discovery configuration or MID Server SSL trust.
3. Verify Required REST Role/Group in Isilon
You may be missing key PAPI privileges. In addition to the ones you listed, confirm the user has:
* ISI_PRIV_PLATFORM_API — often missed but required for full PAPI REST calls.
* Some versions of Isilon require explicit REST access for AD accounts via group mapping or local override.
You can validate this using the Isilon CLI:
isi auth roles view <username>
Or:
isi auth user view <username>
4. Check for TLS/SSL or Port Restrictions
* Ensure port 8080 is open from MID Server to Isilon device.
* Check if Isilon is redirecting HTTP → HTTPS, which may break patterns unless configured to follow redirects.
* Try port 8443 or 443 if 8080 isn’t working in your setup.
5. MID Server Trust Issues (TLS Handshake)
* Make sure MID Server trusts Isilon’s certificate (especially for HTTPS).
* You can import Isilon’s public cert into the MID Server’s Java keystore.
6. Pattern Debugging in ServiceNow
Go to:
Pattern Designer → Run pattern in debug mode (Test on IP)
* Check which step fails
* Examine the HTTP headers & auth type
* Validate how credentials are being passed (Basic, NTLM, Bearer, etc.)
| Step | Description |
| Check Credential Permissions | Ensure user has ISI_PRIV_PLATFORM_API and not just UI login roles. |
| Use CURL to Test API Access | Confirm external access via command line outside SN. |
| Verify Auth Method in Discovery Credentials | Use HTTP credentials with correct method (Basic/NTLM). |
| Test in Pattern Debug Mode | Identify exact HTTP step where it fails. |
| Check if SSL Trust Fails on MID | Import Isilon cert into MID if needed. |
| Try Alternate Ports | Some setups use 8443 or 443 over 8080. |
| Read EMC KBs / REST API Docs | Check Isilon’s documentation for any recent API access changes. |
Next Actions
1. Confirm the user can access the REST endpoint via curl.
2. Add ISI_PRIV_PLATFORM_API if missing.
3. Ensure HTTP Discovery Credentials are set with correct Auth Type.
4. Use MID Server logs (\agent\logs\agent.log) to check full request & response trace.
Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025
