Token-Based Authentication Errors in SOAP Web Services

Check the following sections for information about the most common issues that can occur when you use token-based authentication with SOAP web services, and for information about troubleshooting these issues.

Ambiguous Authentication Errors

When you use token-based authentication (TBA) in SOAP web services, an ambiguous authentication error response is returned if you use another authentication mechanism together with the TBA header.

You receive this error if besides the TBA header, your request contains an Application ID, a passport object with an email address and a password, or a valid JSESSIONID.

The error occurs in the following cases:

If a single SOAP web services request contains a combination of the Passport, TokenPassport and SsoPassport complex types.
If a single SOAP web services request contains both the tokenPassport and the ApplicationInfo complex types, and therefore contains the application ID in the SOAP header.

Other Invalid Login Errors

Apart from ambiguous authentication errors, the following authentication errors may occur.

Issues with Nonce and Invalid Timestamps

The nonce and timestamp values must be unique for each request. Reusing these values is not allowed. If the nonce had already been used, or if the timestamp is different from the correct time, an error message is returned.

Additionally, you must make sure that the nonce value you generate does not contain special characters.

Issues with Sending Multiple TokenPassports in a Single Request

Sending multiple TokenPassports in the same request is not allowed and results in an invalid login error. The SOAP request must contain exactly one TokenPassport. A TokenPassport consists of a nonce, a timestamp, and a TokenPassportSignature. Each TokenPassport can only be used one time.

For information about how to construct a TokenPassport, including code samples, see Updating a SOAP Web Services Integration to Send Token-Based Authentication Details.

Issues with Sending the Same TokenPassport in Multiple Requests

Sending the same TokenPassport in multiple requests is not allowed, and results in an invalid login error. You must make sure that you generate a new TokenPassport, complete with a new nonce value and the correct timestamp for every request. One TokenPassportSignature can only be used one time, even if your code contains retry logic to send a SOAP request again if a request fails.

For information about how to correctly construct a TokenPassportSignature, including code samples, see Updating a SOAP Web Services Integration to Send Token-Based Authentication Details.

Troubleshooting Issues with Token-Based Authentication

See the following section for information about investigating authentication issues. For additional information, also see Using the Login Audit Trail.

Logging SOAP Requests and Responses

In general, you should log the full content of all SOAP requests and responses while you develop your SOAP web services integration. This way you can troubleshoot your code, find out whether you use multiple authentication methods in the same request, and also find out if subsequent requests are sending the same nonce and timestamp.

Note:

Logging the full content of SOAP requests and responses is also useful because if a request does not pass validation, it is not logged in the SOAP web services usage log. Additionally, even when a request using token-based authentication is logged, the authentication details are masked in the logs for security reason. This means that you cannot use the log for investigating authentication issues.

When a Passport and a TokenPassport are sent in the same request, the following SOAP response is returned:

                <soapenv:Body>
         <soapenv:Fault>
            <faultcode>soapenv:Server.userException</faultcode>
            <faultstring>Ambiguous authentication</faultstring>
            <detail>
               <ns1:hostname xmlns:ns1="http://xml.apache.org/axis/">f-partners-java001.svale.netsuite.com</ns1:hostname>
            </detail>
         </soapenv:Fault>
      </soapenv:Body>

When a TokenPassport and the ApplicationInfo are sent in the same request, the following SOAP response is returned:

                <soapenv:Body>
         <soapenv:Fault>
            <faultcode>soapenv:Server.userException</faultcode>
            <faultstring>Ambiguous authentication</faultstring>
            <detail>
               <platformFaults:invalidCredentialsFault xmlns:platformFaults="urn:faults_2017_1.platform.webservices.netsuite.com">
                  <platformFaults:code>USER_ERROR</platformFaults:code>
                  <platformFaults:message>Ambiguous authentication</platformFaults:message>
               </platformFaults:invalidCredentialsFault>
               <ns1:hostname xmlns:ns1="http://xml.apache.org/axis/">f-partners-java002.svale.netsuite.com</ns1:hostname>
            </detail>
         </soapenv:Fault>
      </soapenv:Body>