Anaplan connect error - Anaplan API : Basic Authentication Failed!
Hello Anaplan Community,
I am currently facing an issue with Anaplan Connect. I have made an import script and when I run it on my laptop it works completely fine. But when I sent it to the client IT team, it did not work! The command keeps attempting to request the API until it gets to the following error message : Anaplan API : Basic Authentication Failed! (Rertyable: auth.anaplan.com executing POST https://auth.anaplan.com/token/authenticate (unknown host: auth.anaplan.com))
They are running the same JAVA and anaplan connect versions as me and they made sure the anaplan URLs are whitelisted. I am not sure what could possibly be the reason behind this error. Any ideas?
Thank you in advance!
Can you enable debugging for your script (add "-d" at the beginning of your operation) and show what you got? Based on the information you gave, it is indeed some problem with whitelist/DNS, so make sure they are whitelisted (https://support.anaplan.com/domain-and-ip-ranges-c8235c7d-8af2-413b-a9ff-d465978806b9) and try to ping/traceroute auth.anaplan.com from client's machine.0
Hello @M.Kierepka, thank you for your answer.
It is already the case in my script : set Operation=-debug -service %ServiceUrl% -auth %AuthUrl% -workspace %WorkspaceId% -model %ModelId% -file %FileName% -put %FilePath% -process %ProcessId% -execute -output %DumpName%
And yes, I'm starting to think it is indeed related to the URLs whitelisting but they keep saying that the already whitelisted the URLs so I am not sure about the solution.0
Hello @ryan_kohn, thank you for your answer. I asked them to do it but they are not allowed to ping URLs on their machines for security reasons so it is a bit complicated to find the reason behind this blocage.
I still have not found any solution, I have reached to Anaplan support for help to see if they can provide any insight on this.0
It looks like the script is using your user account to authenticate ("when I run it on my laptop it works completely fine"). When you send it to the IT Team, whoever is trying to run it have an Anaplan account and the authentication fails. Your script should have parameters for user and authentication method, not just -service %ServiceUrl% -auth %AuthUrl%.
To have your IT Team schedule and run your Anaplan Connect scripts, you'll need to have a service account set up and added as a user in your Anaplan tenant. It will need to be a workspace admin and also set up to log in outside of SSO. Additionally, you will either need to have it set up to use basic authentication (plain text password -- NOT RECOMMENDED) or a CA Cert.
If this is not enough of an answer to help you through, let me know. I can provide a bit more guidance (preferably with both you AND your IT resource) to get this working.
Hello @Stacey_Gibbens, thank you for the information you provided.
Both scripts used on my laptop and the IT laptop use the same account to authenticate (WP Admin/No SSO) with the user and the password specified. What do you mean by specifying parameters for user and authentication method? Do I need to add a set line for the credentials? If so, then why does the script work on my laptop?
We will end up using the CA Cert once the tests are done using Basic Authentication.
I would gladly have you take a closer look to the issue if you like, let me know how I can reach out to you!0
Included in your Anaplan Connect download, there should be a few sample .bat files that provide a starting point for creating your integrations. The much of the contents of the "basic authentication" script is below:
set AnaplanUser="Username:Password" (***what do you have here?***)
set WorkspaceId="My Workspace"
set ModelId="My Model"
set FileName="FileName from Import data Source"
set FilePath="FilePath on the Client"
set ImportName="Import Action"
set DumpName="Client Location for Dumping the Errored data from Import"
set Operation=-debug -service %ServiceUrl% -auth %AuthUrl% -workspace %WorkspaceId% -model %ModelId% -chunksize %Chunksize% -file %FileName% -put %FilePath% -import %ImportName% -execute -output %DumpName%
rem *** End of settings - Do not edit below this line ***
setlocal enableextensions enabledelayedexpansion || exit /b 1
if not %AnaplanUser% == "" set Credentials=-user %AnaplanUser% (***this is where the authentication "rubber hits the road"***)
set Command=.\AnaplanClient.bat %Credentials% %Operation%
cmd /c %Command%
I guess the basis of my question around authentication is what username and password to you have listed in the very top line? Because that should be your integration account credentials. I'm guessing that's not populated right now.
See that part towards the end that is marked "where the rubber meets the road"? That translates to, if the person running this script is NOT set up as a user in Anaplan (which you are), then use the integration account user credentials at the top to run this script, else execute this script in Anaplan as the person running the script.
When you're running the script on your laptop, I'm guessing that your Anaplan user account is being used to execute the script, because your organization is set up with SSO. If you give this script to a person who is not an Anaplan user and you haven't populated that top line set AnaplanUser="Username:Password" then the authentication is going to fail, since there's no valid Anaplan user to authenticate with.
Let me know if this clarifies the situation enough for you to move past the authentication issue!!
Also, I would do a test where you're sitting next to each other in a conference room in the office working together to troubleshoot this (using the same wi-fi, going through all the same firewalls, etc.). If the scenario is the same (you can run the script successfully but they cannot), then I would check into what kind of group policy differences are in place between the laptops executing the scripts. There may be some kind of difference that isn't easily apparent that is impacting how the script runs.
@wsellami The last thing I can suggest looking at is Anaplan's published Domain and IP ranges that can be used for whitelisting. Depending on their IT configuration, they may need to whitelist additional IP addresses. Per that page, for auth.anaplan.com, the traffic is routed through Cloudflare. Cloudflare publishes it's IP ranges on their website: www.cloudflare.com/ips/.
If this doesn't resolve the issue, I'd suggest escalating through their IT team to be able to trace the traffic and find out where it's being blocked.0