ServiceNow Rest API throwing error (401 UNAUTHORIZED)

Arpit6 · ‎01-25-2019

Hello Experts,

I am using the below command from a unix machine.

curl -v "https://<instancename>/api/now/table/incident?sysparm_query=assigned_to=aea28412db295704e744f1e51d96194c" --request GET --header "Accept:application/json" --header "X-userToken:window.g_ck" --user "username":"password"

And the response I am getting is:

* About to connect() to **********.service-now.com port 443 (#0)
* Trying 149.96.37.37... connected
* Connected to ********.service-now.com (1.9.3.3) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=*.service-now.com,O=ServiceNow,L=San Diego,ST=California,C=US
* start date: Jul 09 13:47:20 2018 GMT
* expire date: Apr 01 14:17:19 2019 GMT
* common name: *.service-now.com
* issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
* Server auth using Basic with user '********'
> GET /api/now/table/incident?sysparm_query=assigned_to=aea28412db295704e744f1e51d96194c HTTP/1.1
> Authorization: Basic WDQ4Njg5MjpSYXZhbGlAMDI=
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: **********.service-now.com
> Accept:application/json
> X-userToken:window.g_ck
>
< HTTP/1.1 401 Unauthorized
< Set-Cookie: JSESSIONID=87F06C59DA9D8FFB5DED9F82DF96F480; Path=/; HttpOnly;Secure
< WWW-Authenticate: none
< X-UserToken-Request: window.g_ck
< X-UserToken-Response: 4ac63d5013d3a300926635528144b048f189c7d1a585d348744333243ea898672cfcdabb
< X-SessionLoggedIn: false
< X-HandleTimeOut: true
< X-AutoResubmit: true
< X-UserToken-AllowResubmit: false
< Pragma: no-store,no-cache
< Cache-control: no-cache,no-store,must-revalidate,max-age=-1
< Expires: 0
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Fri, 25 Jan 2019 11:17:39 GMT
< Server: ServiceNow
< Set-Cookie: BIGipServerpool_*********=226499850.38974.0000; path=/; Httponly; Secure
< Strict-Transport-Security: max-age=63072000; includeSubDomains
< Connection: close
<
* Closing connection #0
{"error":{"message":"User Not Authenticated","detail":"Required to provide Auth information"},"status":"failure"}

I have used the same credentials to login the ServiceNow console and credentials work perfectly fine.

Any help on this matter is much appreciated.

Thanks

Chris McDevitt · ‎01-25-2019

Arpit,

Troubleshooting:

1. Make sure the account is not locked. Double check the password. Test with another account. Use the admin account.

2. Use the Rest API Explorer and use the sample code, start with a simple query:

Working example:
curl "https://<yourinstance>.service-now.com/api/now/table/incident?sysparm_limit=1" \
--request GET \
--header "Accept:application/json" \
--user '<youruser>':'<userspassword>'

3. Try Postman

If this correct or, please mark it as such so others can benefit from our conversation.

scottlewis · ‎01-25-2019

Hi Arpit,

This is not the right community for security related questions. This community is for the ServiceNow Security Operations Products. However, let's see if we can get you going in the right direction. The two reasons you could be getting a 401 that I can think of is a

1) A badly formed URL.

2) Security Settings on your instance.

For #1, I would suggest you first use the "Rest API Explorer" in the instance to craft your request. You can find this module in the left side navigation in your instance. Remember to use an encoded query in the parameters of your request.

For #2, I would suggest you review the security around REST APIs and see if there are any additional roles that are needed for you to access the the API - https://docs.servicenow.com/bundle/london-application-development/page/integrate/inbound-rest/concept/rest-api-security.html

Finally, I used the REST API to generate a similar query and here is the cURL request for it:

curl "https://<Instance Name>.service-now.com/api/now/table/incident?sysparm_query=assigned_to%3D5137153cc611227c000bbd1bd8cd2007&sysparm_limit=1" \
--request GET \
--header "Accept:application/json" \
--user 'admin':'admin'

Good Luck!

Alex Cox · ‎01-25-2019

Hi there,

The posts above should get you going, but if it helps - I "think" the reason why your previous attempt was not working is that you are trying to authenticate in two different ways: both with a user token and a user/password.

If you simply remove this argument --header "X-userToken:window.g_ck" and provide a working user/pass you should be good.

Alex

Arpit6 · ‎01-27-2019

Thanks Ales/Chris/Scott for your replies. I have tried few option but none has worked so far. Here is the detail:

a) The servicenow instance that I use does not have the Rest API explorer tab on the left. So I can't use that to prepare the curl script. However I have tested the same command with different hostname and credentials (pointing it to another instance) and it works perfectly fine there. So I don't think it is an issue with the format of the command.

b) I used this additional header after reading a few blogs. (--header "X-userToken:window.g_ck") however even if I don't use this header, it is still a failure.

c) The user account is not locked as I use the same credentials to login the Servicenow UI and it works.

curl -v "https://***********.service-now.com/api/now/table/incident?sysparm_query=assigned_to=aea28412db295704e744f1e51d96194c&sysparm_limit=1" \
--request GET \
--header "Accept:application/json" \
--user "********":"**********"

Above is the latest command I used that still gives the same error. I think it could be due to some role or permissions.

Could you please tell me which role will definitely provide the REST API access so that I can ask the Servicenow Admin to assign that role to the user.

I have another instance where I can successfully execute REST API and it has the following roles assigned to the user.

app_service_user
certification
cmdb_query_builder
dependency_views
evt_mgmt_operator
evt_mgmt_user
filter_group
flow_operator
itil
global_tags_creator
image_admin
sam_core_user
template_editor
template_editor_global
timeline_user
u_lab_user
view_changer
x_spog_as_minor_ch.asmc_view

Thanks