When I try and create a new DUO API input, I get the following error:
Encountered the following error while trying to update: In handler 'duo': Received 403 Access forbidden
I'm also seeing this in the forwarder logs:
11-28-2016 22:31:25.201 +0000 WARN ModularInputs - Validation for scheme=duo failed: Received 403 Access forbidden
And this... a 400 HTTP return code?
127.0.0.1 - admin [28/Nov/2016:22:31:24.883 +0000] "POST /servicesNS/admin/TA-DUOSecurity2FA/data/inputs/duo HTTP/1.0" 400 167 - - - 319ms
Running Splunk 6.4.4 on CentOS 2.6.32-642.3.1.el6.x86_64
Most likely this is because the ikey (integration key) is for the Auth API endpoint and not the Admin API. DUO doesn't allow an Auth ikey to access the Admin API. https://duo.com/docs/adminapi#first-steps
Most likely this is because the ikey (integration key) is for the Auth API endpoint and not the Admin API. DUO doesn't allow an Auth ikey to access the Admin API. https://duo.com/docs/adminapi#first-steps
Looks like it was the correct API key, but they hadn't given me permissions yet. I'm seeing events. Thank you!
I have the same problem as the original post. I have been working with Duo support, and even tried a new set of keys. Still getting the 403. But of course, they say they cannot support Splunk.
DUO has some basic instructions for setting up access to the APIs here;
https://duo.com/docs/adminapi#first-steps
The add-on uses these APIs from DUO, https://duo.com/docs/adminapi#logs and https://duo.com/docs/adminapi#account-info
so your Ikey needs to be an Admin API key and have access to logs and account-info (if you are trying to pull the account summary) APIs.
I was able to get it working. Duo support helped me out- there needed to be specific permissions set in the Admin App on Duo's side.
Hey @responsys_cm - If bawood was able help you out, please don't forget to click "Accept" below the answer to close out this question so that other users can easily find it. Thanks!