GET request works in browser, but I get Unauthorized when using Postman

Question

I am issuing a request via chrome:

[org]/api/data/v8.1/accounts?$select=name,accountid&$top=3

and I get a reasonable response:

{
  "@odata.context":"[org]/api/data/v8.1/$metadata#accounts(name,accountid)","value":[
    {
      "@odata.etag":"W/\"769209\"","name":"Telco","accountid":"c6ed63e0-9664-e411-940d-00155d104b35"
    },{
      "@odata.etag":"W/\"752021\"","name":"Fourth Coffee","accountid":"d1eefc0a-3ebc-e611-80be-24be051ac8a1"
    },{
      "@odata.etag":"W/\"768036\"","name":"Fourth Coffee","accountid":"3cbb8d24-20bd-e611-80c0-24be051ac8a1"
    }
  ]
}

However, when attempting to do the same GET through postman, I am getting a 401 unauthorized!

I've tried with no headers at all, as well as basic auth:

Authorization:Basic Y2hybGFiXxxxxxxxxxxxxxcmQxMjM=

What am I doing wrong? Is there something I need to change within CRM to allow me to do GETs from postman?

The following are headers that Chrome uses (got this from DevTools):

• Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
• Accept-Encoding:gzip, deflate, sdch
• Accept-Language:en-US,en;q=0.8
• Authorization:Negotiate TlRMTVNTUAADAAAAGAAYAIoAAABkAWQBogAAAAwADABYAAAADgAOAGQAAAAYABgAcgAAABAAEAAGAgAAFYKI4gYBsR0AAAAPai35LURprYMgYVSwMQXi/2MAaAByAGwAYQBiAGEAZwBvAHIAZABvAG4ASABPAFUALQBXAFMALQBBAEcATwBSAEQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAd0avVN8acJQKvlSN8hYrSgEBAAAAAAAAoBg7uZi80gEIIthtN5clBAAAAAACAAYARABFAFYAAQAUAEIAQQBOAEMAUgBNADIAMAAxADYABAAcAGQAZQB2AC4AYwBoAHIAbABhAGIALgBpAG4AdAADADIAQgBBAE4AQwBSAE0AMgAwADEANgAuAGQAZQB2AC4AYwBoAHIAbABhAGIALgBpdddddddddddddddbABhAGIALgBpAG4AdAAHAAgAoBg7uZi80gEGAAQAAgAAAAgAMAAwAAAAAAAAAAEAAAAAIAAAccTLbO5YZuNnhdCDsjPCg1YXJuNv0XuASIhHrWWBg7kKABAAAAAAAAAAAAAAAAAAAAAAAAkAPABIAFQAVABQAC8AYgBhAG4AYwByAG0AMgAwADEANgAuAGQAZQB2AC4AYwBoAHIAbABhAGIALgBpAG4AdAAAAAAAAAAAAAAAAACtRrU1oDZ/XXRVVEUuj0yT
• Cache-Control:max-age=0
• Cookie:ReqClientId=42484e9a-f488-41a9-a016-1cd6e5820b3c
• Host:myhost....
• Proxy-Connection:keep-alive
• Upgrade-Insecure-Requests:1
• User-Agent:Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Mobile Safari/537.36

Answer 1

In my case in .NET project i had two different authentication schemes in my Startup.cs . I removed the older one and added its auth services and it worked.

Answer 2

If request works from the browser, then no authentication was used.
So, in Postman, for Authentication, use No Auth. :-)

Answer 3

I used the following steps and it was ok. Follow the steps, below:

1. Open Google Chrome
2. Install Postman Extention
3. Install Postman's Interceptor Extention
4. Open Postman Extention
5. Use Sync
6. Use Interceptor

Answer 4

This solved my issue. In Postman, I copied the Access Token from Authorization tab and I have selected "No Auth" Type. Then, I moved to Headers tab, Under Headers section, I have provided new Key with Name "Authorization" and in the Value I have passed my TOKEN prefix with Bearer.See the below screenshot

Answer 5

These helped me.

1. Check that it is NTLM authentication both in postman and in the page hosted it is checked.

2. Use method post

3. Username and password(which you have set and need not be the access key)

Answer 6

Try putting quotes around your url:

curl '[org]/api/data/v8.1/accounts?$select=name,accountid&$top=3'

The &, $, = etc. may be causing problems - I had the same problem and putting quotes was the resolution

Answer 7

You are trying to access from the postman chrome extension or through the postman( windows based) installed application on your system.Try to fetch the data from chrome extension.

Answer 8

First, login into CRM and leave the tab sitting there.

Go into POSTMan

Enable the Interceptor (see image)

Enter the URL and hit SEND, just like that. POSTMan will take care of cookies and headers on its own, and you'll see the results.

If you logout from CRM, POSTMan will obviously no longer be able to issue the requests and will return 401 instead.

Answer 9

It seems like the server you are calling requires RFC 4559 (https://www.rfc-editor.org/rfc/rfc4559) authentication. More details here: https://en.wikipedia.org/wiki/SPNEGO.

The way it works in the case of a GET request from the browser:

1. Browser requests the required page
2. The server responds with HTTP 401 (Unauthorized) and provides a response header WWW-Authenticate: Negotiate. This tell the browser that RFC 4559 authentication is required.
3. The browser makes sure the site has permissions for this action (details on configuration here: https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM). Most sites will not be allowed to request such authorization without being explicitly white-listed.
4. If permitted, the browser requests a Kerboros ticket from the domain's Active Directory.
5. Active Directory responds with a ticket.
6. The browser forward the ticker to the server (via the Authotizarion: Negotiate xxxxx header that you see).
7. The server interacts with the same Active Directory and turns that ticket into username and groups/permissions information.

I am not aware of a tool that will let you do this (simulate a browser) if you are trying to automate requests against the server (which is probably an internal/intranet company site). Your best course of action may be some form of scripting (like VBS) which will use IE via COM and possibly handle this authentication for you (I have not done this, so not sure if it will indeed work).