All Apps and Add-ons

DUO Log Add-on for Splunk: When creating a new DUO API input, why do I get "Received 403 Access forbidden" error?

Builder

When I try and create a new DUO API input, I get the following error:

Encountered the following error while trying to update: In handler 'duo': Received 403 Access forbidden

I'm also seeing this in the forwarder logs:

11-28-2016 22:31:25.201 +0000 WARN  ModularInputs - Validation for scheme=duo failed: Received 403 Access forbidden

And this... a 400 HTTP return code?

127.0.0.1 - admin [28/Nov/2016:22:31:24.883 +0000] "POST /servicesNS/admin/TA-DUOSecurity2FA/data/inputs/duo HTTP/1.0" 400 167 - - - 319ms

Running Splunk 6.4.4 on CentOS 2.6.32-642.3.1.el6.x86_64

0 Karma
1 Solution

Path Finder

Most likely this is because the ikey (integration key) is for the Auth API endpoint and not the Admin API. DUO doesn't allow an Auth ikey to access the Admin API. https://duo.com/docs/adminapi#first-steps

View solution in original post

Path Finder

Most likely this is because the ikey (integration key) is for the Auth API endpoint and not the Admin API. DUO doesn't allow an Auth ikey to access the Admin API. https://duo.com/docs/adminapi#first-steps

View solution in original post

Builder

Looks like it was the correct API key, but they hadn't given me permissions yet. I'm seeing events. Thank you!

New Member

I have the same problem as the original post. I have been working with Duo support, and even tried a new set of keys. Still getting the 403. But of course, they say they cannot support Splunk.

0 Karma

Path Finder

DUO has some basic instructions for setting up access to the APIs here;
https://duo.com/docs/adminapi#first-steps

The add-on uses these APIs from DUO, https://duo.com/docs/adminapi#logs and https://duo.com/docs/adminapi#account-info

so your Ikey needs to be an Admin API key and have access to logs and account-info (if you are trying to pull the account summary) APIs.

0 Karma

New Member

I was able to get it working. Duo support helped me out- there needed to be specific permissions set in the Admin App on Duo's side.

0 Karma

Splunk Employee
Splunk Employee

Hey @responsys_cm - If bawood was able help you out, please don't forget to click "Accept" below the answer to close out this question so that other users can easily find it. Thanks!

0 Karma