Token-Based Authentication Errors in SOAP Web Services
Learn about common token-based authentication issues with SOAP web services and how to troubleshoot them in the following sections.
Ambiguous Authentication Errors
Using multiple authentication methods with TBA, including the TBA header, returns an ambiguous authentication error.
This error occurs when your request includes an Application ID, passport object, or valid JSESSIONID in addition to the TBA header.
The error occurs in these situations:
-
When a single SOAP request includes Passport, TokenPassport, and SsoPassport complex types.
-
When a single SOAP request includes both tokenPassport and ApplicationInfo complex types, including the application ID in the SOAP header.
Other Invalid Login Errors
Additionally, you may encounter the following authentication errors.
Issues with Nonce and Invalid Timestamps
Each request requires unique nonce and timestamp values. Reusing these values isn't allowed. Using a previously used nonce or an incorrect timestamp returns an error message.
Ensure the generated nonce value doesn't include special characters.
Issues with Sending Multiple TokenPassports in a Single Request
Sending multiple TokenPassports in one request isn't permitted and returns an invalid login error. A SOAP request must include exactly one TokenPassport. A TokenPassport includes a nonce, timestamp, and TokenPassportSignature. Each TokenPassport is single-use.
For information about how to construct a TokenPassport, including code samples, see Updating a SOAP Web Services Integration to Send Token-Based Authentication Details.
Issues with Sending the Same TokenPassport in Multiple Requests
Sending the same TokenPassport multiple times isn't permitted and returns an invalid login error. Generate a new TokenPassport with a unique nonce and correct timestamp for each request. A TokenPassportSignature is single-use, even with retry logic.
For information about how to correctly construct a TokenPassportSignature, including code samples, see Updating a SOAP Web Services Integration to Send Token-Based Authentication Details.
Troubleshooting Issues with Token-Based Authentication
See the following section for information about investigating authentication issues. For additional information, also see Using the Login Audit Trail.
Logging SOAP Requests and Responses
In gener, it's best to log all SOAP requests and responses during development. Logging helps you troubleshoot, detect multiple authentication methods, and identify duplicate nonce and timestamp issues
Logging full SOAP requests and responses is helpful because invalid requests aren't logged in the SOAP web services usage log. Even logged token-based authentication requests have masked authentication details for security reasons. As a result, you can't use the log to investigate authentication issues.
When a Passport and a TokenPassport are sent in the same request, the following SOAP response is returned:
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Server.userException</faultcode>
<faultstring>Ambiguous authentication</faultstring>
<detail>
<ns1:hostname xmlns:ns1="http://xml.apache.org/axis/">f-partners-java001.svale.netsuite.com</ns1:hostname>
</detail>
</soapenv:Fault>
</soapenv:Body>
When a TokenPassport and the ApplicationInfo are sent in the same request, the following SOAP response is returned:
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Server.userException</faultcode>
<faultstring>Ambiguous authentication</faultstring>
<detail>
<platformFaults:invalidCredentialsFault xmlns:platformFaults="urn:faults_2017_1.platform.webservices.netsuite.com">
<platformFaults:code>USER_ERROR</platformFaults:code>
<platformFaults:message>Ambiguous authentication</platformFaults:message>
</platformFaults:invalidCredentialsFault>
<ns1:hostname xmlns:ns1="http://xml.apache.org/axis/">f-partners-java002.svale.netsuite.com</ns1:hostname>
</detail>
</soapenv:Fault>
</soapenv:Body>