I think Brian is correct. From what I understand that syntax is just something you can do in a browser for Basic Authentication.

So setting it to Basic Authentication and putting the credentials there should work.

I had tried this already because they did say they support basic authentication. I just tried again. The way W3 schools says to use Basic Auth in the headers is to use the Authorization header and just type the word Basic out manually followed by a space character and then your credentials separated by a colon.

I get the same exact send error though, I cleaned up the credentials and @ stuff from the domain and made sure everything was configured correctly.

Here is their statement:

At the HTTP level, the API key is sent over HTTP Basic Authentication. Use the secret key as the username and any random string for the password.

You received the same error when you input the credentials rather than manually adding the authorization headers?

I have several Web Services we utilize in Workflow that require Basic Authentication and I've always just put the credentials in the "Use the following credentials" space within the web service configuration.

Based on the BambooHR API documentation, it looks like you can put any string for the password as long as you use the correct API key as the username.

Basically, just try taking the "{API Key}:x@" portion out of the Web Service URL, then put the API key into the username field and any string into the password field.

Just tried this without any luck, same exact send error. What I find odd is that I am not getting a username or password incorrect error. It is almost just as if the remote server which hosts their API does not like something about the request send using the HTTP Web Request activity.

Look how it just sends a combined RST and ACK of it's own RST all at once. It is basically just slamming the door before we even get started communicating.

See how much different a web browser call is. A RST should not be sent from the server until I say goodbye or they don't trust me

I have run into this kind of stuff before, where it is not very well documented.

It doesn't mention this in the error message. Where in wireshark can I check for this?

I just reviewed the documentation from Bamboo HR to ensure it doesn't say any special TLS is required.

This post provides a pretty thorough walkthrough of the relevant bits:

https://www.catchpoint.com/blog/wireshark-tls-handshake

You're looking for the "Version" field in the Client Hello:
"Version: The TLS protocol version number that the client wants to use for communication with the server. This is the highest version supported by the client."

If Workflow is configured to use TLS 1.2, you should see a value of "TLS 1.2 (0x0303)". If it says TLS 1.0 or TLS 1.1, that may be the issue. You can verify this by looking at the subsequent Server Hello message's Version field:
"Server Version: The highest TLS protocol version supported by the server which is also supported by the client."

If Client and Server don't have a mutually supported TLS protocol version to agree on, the handshake fails. It's also possible for Client and Server to agree on a protocol version but not a cipher suite (like "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"), which causes a similar handshake failure.

I used Qualys' public SSL Lab's tool to scan at least one of the api.bamboohr.com endpoint IPs and it seems to still support TLS 1.1, so the version may not be the problem. Looking into the details of those calls in Wireshark might provide other useful insights either way though.

To point out a general trend though:

• The major browsers have at this point officially depreciated TLS 1.0 and 1.1 after a few years advanced notice.
• Microsoft has/is disabling TLS 1.0 and 1.1 for Microsoft 365 services.
• Laserfiche Cloud ended support for TLS 1.0 and 1.1 as of January 1, 2021.
• Salesforce disabled TLS 1.1 in 2019.

Many organizations have been working to disable TLS 1.0 and 1.1 on their systems for a while now to stay compliant with cybersecurity and regulatory standards (e.g., TLS 1.0 is now an auto-fail for PCI compliance; NIST SP 800-52 Rev.2 requires TLS 1.2 or higher for all govt orgs) and most probably didn't make announcements about it. Over the next year or two, it's an increasingly safe assumption that anything lower than TLS 1.2 will be disabled.

My Wireshark says TLSv1. Does that mean TLS version 1.0?

I upgraded to Workflow 10.4.2.246 which is the version that comes with the latest release of the 10.4.3 package from last summer.

It does not provide any options to choose which TLS I would like to use though and still says TLSv1 in Wireshark.

Thanks for all your help on this! I really hope some security requirement isn't the reason for so much pushback on this test, I feel like their documentation is really good and I had their API working within minutes. Seems like it takes many hours to get it working in Workflow.

That's what Sam is saying. Workflow will use TLS 1.0 by default in 10.4.2 or lower because that is what .Net defaults to. The registry keys in this KB article are required to direct .Net 4.5 or lower to use the latest version available in the OS.

Choosing the TLS version in the application is not a recommended setup across the industry because it results in insecure configurations in the long term as older cyphers and protocols are obsoleted.

The 10.4 package is updated monthly as described in this KB article to include patches and newer versions. As of November, it contains Workflow 10.4.3.