This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with Authenticating in SafeGuard API

Hello,

I am currently using Sophos SafeGuard Enterprise 6.00.1.

I've been trying to use the SafeGuard API, and some test scripts were working when running directly from my SafeGuard Server running Windows Server 2003. Those scripts were authenticating using the AuthenticateService() method since it was on the server.

I'm trying to now run some of these test scripts from another machine, which has SafeGuard Management Center 6.00.1 installed (and .NET 4.5). However, I am running into authentication errors. Here is a sample snippet from my code.

Option Explicit
On Error Resume Next

Dim msoName
Dim sgnPassword
Dim result, ret
Dim Scripting, ScriptingDirectory, ScriptingCertificates
Dim ErrorText

msoName = "MasterSecurityOfficer@MYDOMAIN"
sgnPassword = "Sp3ci4lPa55word!"

Set Scripting = WScript.CreateObject("Utimaco.SafeGuard.AdministrationConsole.Scripting.Base")
ret = Scripting.GetLastError(ErrorText)
wscript.Echo("Created Base Object - " & ErrorText)

result = Scripting.Initialize()
ret = Scripting.GetLastError(ErrorText)
wscript.Echo("API init " & result & " " & ErrorText)
result = Scripting.AuthenticateOfficer(msoName, sgnPassword, "")
ret = Scripting.GetLastError(ErrorText)
wscript.Echo("Authentication " & result & " " & ErrorText)

' Returns:
' Created Base Object - OK
' API init 0 OK
' Authentication -6 Certificate not found.

 The error I am getting is -6, which is NOT_AUTHENTICATED. The password stored in sgnPassword is correct, as I can launch the management center program with that password. Additionally, I am logged in with that curent user.

The error text is Certificate not found.

I am running this script on a Windows 7 x64 machine, but am invoking my VBS script from %SYSTEMROOT%\SysWOW64\cscript.exe so there isn't a "bitness" error going on. The MSO I am referencing in the script has Token Logon set to None.

Any idea on what I need to pass to get authenticated?

Additionally, if anyone could provide some insight on how to load the SafeGuard API into Powershell, that would also be great. Thank you.

=======================

EDIT: I figured out how to add the assembly in powershell, the hard part was figuring out where the DLL was. The command I ran in PowerShell x86 2.0 is

Add-Type -Path C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Utimaco.SafeGuard.AdministrationConsole.Scripting\v4.0_6.0.1.31__477ad77cf9ac4e6c\Utimaco.SafeGuard.AdministrationConsole.Scripting.dll

 This is after I added .NET 4.0 runtime support, of course (see here - http://stackoverflow.com/questions/2094694/how-can-i-run-powershell-with-the-net-4-runtime)

=======================

EDIT 2: One thing I'm not too sure if, is if I have to pass the company certificate or the MSO certificate through the .conf file the documentation says is optional.

I was able to export both of the .cer/.p12 files and have placed them in the same directory as the .vbs script, but I still get the -6, Certificate Not Found error.

To give a more succinct description of my questions:

  1. Are there some better examples for the AuthenticateOfficer command for the SafeGuard API?
  2. Additionally, is there an example of how to format a .conf file to be used in the AuthenticateOfficer command?

=======================

:52393


This thread was automatically locked due to age.
  • I emailed Sophos' support staff, and after some escalation I was able to get the answer.

    I had been trying to Authenticate with a user account that was imported from Active Directory (AD), and then promoted to a Master Security Officer (MSO). Well, the command for that isn't AuthenticateOfficer. The command is:

          Int32 Base::AuthenticateWHDOfficer(string OfficerName, string Password)

          Description - Authenticates Web Helpdesk officers by their P12 file stored in the database.

    I don't see at all how the Web HelpDesk product is related to an AD imported MSO, but it works for me.

    The original command I was using, AuthenticateOfficer, only works with a manually created MSO. That is, an MSO that wasn't imported from AD.

    Still don't have any direction on how to create the .conf file, but at least I can connect now.

    :52471