Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2858 Discussions

Error retrieving authentication token - when trying to get a token using powershell and the API

YasserA
Beginner
814 Views

Dear Sir or Madam,

 

We are on Intel EMA version 1.12.2.0

i have logged into the tenant windows server as tenant admin - with a cloud/ad hybrid account.

 

i have opened an admin Powershell ISE instance

 

I have opened and modified and saved:

EMA_API-CreateOrDeleteClientCredentialsForTenant.ps1

 

but when i try to create a client ID token - i get the following:

-----------------

PS D:\> D:\EMA_API-CreateOrDeleteClientCredentialsForTenant.ps1
Target Intel(R) EMA Server = https://ourserver.city.ac.uk
Invoke-RestMethod : {"error":"invalid_grant","error_description":"The user name or password may be incorrect, or the
account may be locked."}
At D:\EMA_API-CreateOrDeleteClientCredentialsForTenant.ps1:65 char:14
+ ... $token = Invoke-RestMethod -Uri "$emaServerURL/api/token" -Method ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExceptio
n
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
Error retrieving authentication token.

-------------------

I used as instructions:

https://www.intel.com/content/www/us/en/support/articles/000090097/software/manageability-products.html

 

Can you please help? what am i doing wrong?

 

Kindest regards

 

Yasser

0 Kudos
10 Replies
MIGUEL_C_Intel
Moderator
771 Views

Hello, Yasser,


Do you mind confirming if you are using Azure AD Authentication (Entra)? 


Look forward to your reply.


0 Kudos
YasserA
Beginner
750 Views

Hi Miguel,

 

Yes i've added the -useccauth parameter too. To no avail.

 

Kindest regards

 

Yasser

0 Kudos
YasserA
Beginner
750 Views

yes it it an azure ad account account... our main purpose is to get the EMA_API-CreateOrDeleteClientCredentialsForTenant.ps1 script working - and to do this - we need client credential tokens - so i've tried to generate them and it doesn't seem to work for me...

0 Kudos
MIGUEL_C_Intel
Moderator
726 Views

Hello, Yasser,


Azure AD is supported by EMA; however, in these instances, it is not possible to use APIs to retrieve a token for a user. Client credentials authentication is an available alternative for these instances; explained in the Intel® EMA API Guide.pdf available in the Intel® EMA zip file.


Intel® Endpoint Management Assistant (Intel® EMA) v 1.13.0.0

https://www.intel.com/content/www/us/en/download/19449/intel-endpoint-management-assistant-intel-ema.html


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
YasserA
Beginner
717 Views

Dear Miguel,

 

I quote from section 2.2 from the API document:

 

2.2 Azure AD Authentication

Note: Azure AD authentication requires the Azure AD setup procedure that is documented in the installation prerequisites section of the Intel® EMA Server Installation and Maintenance Guide. Currently, Azure AD user login is supported only for direct interactions with the Intel EMA web interface. On Intel EMA instances configured to use Azure AD authentication, it is not possible for external applications or scripts to retrieve a token for an Azure AD user using the REST API. API integrations implementing authentication via Client Credentials will work on all Intel EMA instances, including those configured to use Azure AD login. API actions available to Client Credentials are limited. See the online API documentation on any Intel EMA instance at https:///swagger for details. API integrations implementing user login via Password and/or Windows Domain authentication will continue to work with Intel EMA instances configured to use those authentication methods.

 

I have gone to the swagger page and got this:

Submits a batch request to perform an out of band PowerOn operation on multiple endpoints

Roles required: Tenant Administrator, Client Credentials Endpoint Manager, User in a User Group with HasPowerOperationsAccess associated to target Endpoint Group

 

So how would I use this with an azure ad account and powershell? How does authentication via client credentials work on this - can you please give clear and comprehensive instructions for this?

 

We created powershell scripts that turned on machines - but they are broken since we've moved to azure ad authentication - so we're trying to fix these scripts.

 

Could it not be working as i used a Tenant Administrator account instead of an Endpoint Manager account?

 

Many thanks for all your help!

 

Kindest regards

 

Yasser

 

0 Kudos
YasserA
Beginner
670 Views

Dear Miguel,

 

Sorry for being impatient - is there any update to my latest response?

 

Many thanks for your guidance!

 

Kindest regards

 

Yasser

0 Kudos
MIGUEL_C_Intel
Moderator
617 Views

Hello, Yasser,


You need to use the client credentials for Azure AD (Azure Entra) instead of the tenant.


It is possible to do this by going to his https://www.city.ac.uk/samples/RestAPI/AccessToken.html for example (server name may be different), scroll to the bottom of the page and use the Client credentials now since you are using Azure Entra. Client ID is in xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx format. You will need both an Entra Client ID and a Client secret.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
404 Views

Hello, Yasser,


By any chance, have you been able to test our last recommendation?


Regards,

Miguel C.

Intel Customer Support Technician



0 Kudos
YasserA
Beginner
392 Views

Dear Miguel,

 

I seem to have some luck - for anyone with the same issue - I copied the sample folder from the decomressed installer files to a test  intel ema environment to this folder: C:\inetpub\wwwroot of the test environment.

 

Then i logged into the intel ema console on the test environment on a browser with a tenant administrator account and then on a seperate tab opened:

https://testenvironment.uk/Samples/RestApi/ClientCredentials.html

and selected the checkbox at the top saying Enable Session Cookie...

 

the I went to the Post Credentials section
Chose Scope as EndpointManager
Client secret - i made up a password with capitals and special characters and mixed case
Token lifetime i chose 24
Max failed login attempts i chose 10

i pressed the blue Post Credentials button and got a response...

What i needed from the resultant credentials box was the:
client_id and I needed to remember the password I inputted...

then i logged into the Intel EMA host as the azure hybrid account that was Tenant Administrator and ran a powershell session
to test my new credentials:

.\Set-IntelEMAEndpointPowerState.ps1 -emaServerURL ourintelEMAserver.uk -emaAPIVersion latest -powerState PowerOn -hostname TESTHOST -useCCAuth -verbose

and it prompted for the client ID and secret - which i entered - and the script worked!

Many thanks Miguel!

I appreciate it!

Have a great day/night!

 

The only thing i forgot how I managed to get was the tenant id - can you remind me of that Miguel to make it a complete answer?

for what it's worth - this is what seems to work for me.

 

Kindest regards

 

Yasser

0 Kudos
MIGUEL_C_Intel
Moderator
368 Views

Hello, Yasser,


Using Azure Entra has this limitation, the Tenant ID is missing.  We need to use the option below:


Scroll to the bottom of the page and use the Client credentials now since you are using Azure Entra. Client ID is in xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx format. You will need both an Entra Client ID and a Client secret.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Reply