[SalesForce] SOAP request sent after receiving the Access Token gives “403 – Forbidden: Access is denied”

I have started communicating with the Marketing Cloud API.

I have added a Server-to-Server integration component to our installed packages:

Using Postman, and the Authorization Base URL I receive the Access Token (a long string) that time-out after about 1079 seconds.

I found this example page by Eliot Harper to use the Access Token to send a sample SOAP request to update an email address. The base URL I used to run this request is the SOAP Base URL and I run it using a GET method (even though I know SOAP request and responses probably don't have much to do with request verbs and work like XML envelopes). When I look at Eliot's page, I see he has used another URL for the SOAP request (https://webservice.s7.exacttarget.com/Service.asmx with the note that the s7 value should be replaced with "SOAP endpoint", but my SOAP endpoint is a complete URL, so I'm a bit confused).

When I run the GET request with the URI provided in the image above I get the following response:

<body>
    <div id="header">
        <h1>Server Error</h1>
    </div>
    <div id="content">
        <div class="content-container">
            <fieldset>
                <h2>403 - Forbidden: Access is denied.</h2>
                <h3>You do not have permission to view this directory or page using the credentials that you supplied.
                </h3>
            </fieldset>
        </div>
    </div>
</body>

And if I replace the s7 value in Eliot's URL with the [THIS_VALUE] in the SOAP URI (https://[THIS_VALUE].soap.marketingcloudapis.com/), I get the following response in Postman (again the verb is GET).

Can anyone help running a sample request?

UPDATE: Tested using username and pass as suggested by one of the comments. When I log into the marketing cloud the URL contains s11. So that's what I replace in the SOAP request. I get the following response using a GET.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
    <title>Error</title>
    <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1" />
    <meta name="CODE_LANGUAGE" content="C#" />
    <meta name="vs_defaultClientScript" content="JavaScript" />
    <meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5" />
</head>

<body style="margin: 0px; padding: 0px; font-family: Arial;">
    <table style="height:100%; width:100%;" border="0" cellpadding="5" cellspacing="0">
        <tr style="height:10%; background-color:#808080">
            <td>
                <div style="color:#ffffff; font-size: 16px;">An error has occurred and has been logged by our system.
                    <br />
                        Thank you. </div>
            </td>
        </tr>
        <tr valign="top">
            <td>
                <div id="errorTxt">&nbsp;</div>
            </td>
        </tr>
    </table>
</body>

</html>

UPDATE 2: The raw SOAP envelope I am sending using POST:

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <soapenv:Header>
        <Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>[MY_USERNAME]</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">[MY_PASSWORD]</Password>
            </UsernameToken>
        </Security>
    </soapenv:Header>
    <soapenv:Body>
        <UpdateRequest xmlns="http://exacttarget.com/wsdl/partnerAPI">
            <Options>
                <SaveOptions>
                    <SaveOption>
                        <PropertyName>*</PropertyName>
                        <SaveAction>UpdateOnly</SaveAction>
                    </SaveOption>
                </SaveOptions>
            </Options>
            <Objects xsi:type="Subscriber">
                <PartnerKey xsi:nil="true" />
                <ObjectID xsi:nil="true" />
                <EmailAddress>newemailaddress@mycompany.com</EmailAddress>
                <SubscriberKey>oldemailaddress@mycompany</SubscriberKey>
            </Objects>
        </UpdateRequest>
    </soapenv:Body>
</soapenv:Envelope>

The response I get is the same error in the picture above with dark background.

Best Answer

The Endpoint you mention https://webservice.s7.exacttarget.com/Service.asmx is correct for the SOAP call, it is just not the endpoint of your Marketing Cloud instance. Instead of S7 as you are given at the example, use your own instance number, this can be found at the Marketing cloud URL when you login.

Example URL. "https://mc.s10.exacttarget.com/" here the server is S10, and that is all you have to change.

Also perhaps that one is not the only issue you have. Recently I have worked with SOAP calls with a Server to Server package and the Access token did not worked for me. I had to use the Username Token for authentication.

Example:

 <Header>
  <Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
     <UsernameToken>
        <Username>[YOUR USERNAME]</Username>
        <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">[YOUR PASSWORD]</Password>
     </UsernameToken>
  </Security>

At your envelope's header you add the Security node with a Username and Password. This Username and Password needs to be from a User that it has the 'API User' checkbox enabled, at the User setup in Marketing cloud.

Hope this helps you.

Related Solutions

[SalesForce] Constructing SOAP Security Header for wsse:UserToken

Finally got to the bottom of this... The <wsse:Nonce> and <wsu:Created> elements were required. The following header included in the requests worked.

I use the same Nonce on each request. The Created date can be generated in Apex using

String requestTimeStamp = datetime.now().formatGMT('yyyy-MM-dd\'T\'HH:mm:ss.SSS\'Z\'');

The complete <Header> element:

<soapenv:Header>
    <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsse:UsernameToken wsu:Id="UsernameToken-2E66C7C5CE47F74A5314575223194135">
            <wsse:Username>REDACTED_PLAINTEXT_USERNAME</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">REDACTED_PLAINTEXT_PASSWORD</wsse:Password>
            <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">0S0T0SfUpdJ7A1Wom+g1hg==</wsse:Nonce>
            <wsu:Created> + requestTimeStamp + </wsu:Created>
        </wsse:UsernameToken>
    </wsse:Security>
   </soapenv:Header>

In addition http headers on the request were set to:

req.setEndpoint('https://information.qld.gov.au/service/land/property/ValidationService/2/soap');

req.setHeader('Content-Type', 'text/xml;charset=UTF-8');
req.setHeader('SOAPAction', '"information.qld.gov.au/service/Addressing/ValidationService/2/soap/IValidationServiceEnhanced/ValidateLotPlan"');
req.setHeader('Content-Length', String.valueOf(requestXML.length()));

[SalesForce] SOAP API Connection with Access Token

My team manages a postman collection that has a large collection of both SOAP and REST APIs. All of the SOAP calls use access token vs UN/PW that you can see for future examples.

Currently the collection is available at: https://api.mcexperts.ninja/

We're working to get it added to the official Salesforce Postman network in the future.

Best Answer

Related Solutions

[SalesForce] Constructing SOAP Security Header for wsse:UserToken

[SalesForce] SOAP API Connection with Access Token

Related Topic