Ad Widget

**Petr N.** · 15-02-2025, 13:27

UPDATE:
According to this question https://www.zabbix.com/forum/in-russ...api-powershell I tried to use session with a cookie to authorize to Zabbix API

Code:

$zabbixDomain = "https://" + $ZabbixServer
$session = New-Object -TypeName Microsoft.PowerShell.Commands.WebRequestSession
$cookie = New-Object -TypeName System.Net.Cookie
$cookie.Name = "zbx_session"
$cookie.Value = $authToken
$session.Cookies.Add($zabbixDomain,$cookie)

I can see, that the cookie is set on my test page inside Zabbix web site

Code:

HTTP_AUTHORIZATION = Negotiate YIIJAgYGKwYBBQUCoIII9j <shortened>
HTTP_USER_AGENT = Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.7783
HTTP_HOST = zabbix.mydomain.tld
HTTP_COOKIE = zbx_session=7b3e68a959b43f47df0a224fdc8a6692

but it makes no difference, the result is always the same

Code:

code=-32602; message=Invalid params.; data=Not authorized.

It's not clear to me, whether the cookie name should be "zbx_sessionid" as in the linked problem, or just "zbx_session" which is written in the documentation https://www.zabbix.com/documentation/7.2/en/manual/api (if I understand it correctly)

I have tried both but neither works. Do you have a working example how to use the session cookie to authorize yourself to Zabbix API ?

Btw. the Zabbix account I'm using to authenticate is shown as "online" in Zabbix UI with recent last logon datetime so I don't think there's any problem with the account. I can get the token just fine. My problem is, how to use it.

**Petr N.** · 18-02-2025, 10:43

UPDATE 2:
Authentication with the cookie seems to be a dead end. Back to the Bearer authentication, I got another idea, which is a bit of hack (workaround) - set no authentication for just one file (api_jsonrpc.php) in Apache and leave the rest of the site with default (Kerberos) authetication. And I succeeded. The key part of the Apache config is:

Code:

<Directory "/usr/share/zabbix/ui">
       <Files api_jsonrpc.php>
           AuthType none
           Order allow,deny
           Allow from all
           Satisfy any
       </Files>
</Directory>

I added that part inside our zabbix.conf file as follows:

Code:

<VirtualHost *:443>
        LimitRequestFieldSize 65536
        LimitRequestLine 65536
        LimitRequestFields 1024
        ServerAdmin webmaster@localhost
        ServerName zabbix.mydomain.tld
        DocumentRoot /usr/share/zabbix/ui
        <Location />
                        Options FollowSymLinks
                        AllowOverride None
                        AuthType  GSSAPI
                        AuthName "Kerberos Login"
                        GssapiCredStore keytab:/etc/apache2/security/zabbix.keytab
                        GssapiBasicAuthMech krb5
                        require valid-user
        </Location>

        <Directory "/usr/share/zabbix/ui">
            <Files api_jsonrpc.php>
                AuthType none
                Order allow,deny
                Allow from all
                Satisfy any
            </Files>
        </Directory>

# other config here
<VirtualHost>

With that config in place I was able to use the Bearer authentication I wrote earlier

Code:

$header = @{ "Authorization" = "Bearer $authToken"}
$response = Invoke-RestMethod $url -ContentType "application/json-rpc; charset=utf-8" -Method Post -Headers $header -Credential $credentials -Body ([System.Text.Encoding]::UTF8.GetBytes($jsonRequest))

I still wonder what is the recommended way of accessing the API if I wasn't able to change Apache configuration (and therefore couldn't use the Bearer authentication header). Previously used auth parameter seemed perfect to me and I haven't found anywhere mentioned why it has been removed.

**levon74** · 07-03-2025, 05:48

Petr, you saved me days of troubleshooting, I had the same issue as you and building the header did the trick (haven't touched the zabbix config though), thank you for that.
And a good question, if that's how Zabbix is expecting the API authentication to be used, would be interesting to hear from them or find it in the docos.
Thanks again.

**cyber** · 07-03-2025, 13:05

Cookie is used only if queried from UI, by javascript or widget..
External script is not using it... as long as I undertand docs... There you either use user.login to obtain that token or generate one in UI and use it.

**Petr N.** · 07-03-2025, 13:34

Originally posted by cyber

Cookie is used only if queried from UI, by javascript or widget..
External script is not using it... as long as I undertand docs... There you either use user.login to obtain that token or generate one in UI and use it.

I tried to use the cookie because I wasn't successful authenticating with the Bearer token authentication. My problem wasn't obtainging the token (user.login works just fine), but using it (when I added Authorization header with the Bearer token, it was overriden by Kerberos (Negotiate) authorization to the Apache server). I still hope there would be an alternate authentication mechanism other than sending the Authorization header (maybe some alternative HTTP header), because in my opinion making an exception for just one file in site authorization on Apache is a hack (temporary workaround).

**cyber** · 11-03-2025, 15:51

Well, actually we use the same way... users come through gssapi authorization in apache (zabbix.company) and for API we use completey other webserver (zabbix-api.company) ..

But that was intentionally set up already long time ago, not related to any of this topic..

In other instance we went from apache to nginx and SAML... there is no issue to use same frontend as it does not interfere there... you still can use local auth for users there...

Ad Widget

Zabbix 7.2 API authentication problem from Powershell

Zabbix 7.2 API authentication problem from Powershell

Comment

Comment

Comment

Comment

Comment

Comment