REST-API with ADS user account as Authentication Module --> 401 Unauthorized

identitymanager-support over 3 years ago

Hi,

we use the One Identity Manager version 8.0.5.

We have a first use case that involves using the REST API. In our development and test environment, the REST calls work using the system user as authentication method.
In production, however, the ADS user account (role-based) method is to be used, which is currently not yet successful.

If you call up the BaseURL of the application server you get to the login page, if you then switch the method there to "ADS user account (role based)" or "ADS user account", the message appears
that an error has occurred.
If we try PowerShell, as indicated in the examples, the error message appears
Invoke-RestMethod: The remote server returned an error: (401) Unauthorized.

What can be the reason? What other configuration should we check?

In the IIS, Anonymous Authentication and Windows Authentication are currently enabled as authentication.

Thank you for any hints

0 Markus Weiss-Ehlers over 3 years ago

Like with any IIS hosted web application, you need to disable the Anonymous Authentication if you want to use Windows authentication. You cannot use both at the same time as anonymous overrules the windows authentication.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 identitymanager-support over 3 years ago in reply to Markus Weiss-Ehlers

Thanks Markus for the hint.

One more question - the search index for the WebPortal (ITShop) also runs on the AppServer - does the adjustment in IIS have any effects on the search index?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Markus Weiss-Ehlers over 3 years ago in reply to identitymanager-support

Sorry for answering late but as the SearchIndex is hosted on the AppServer, all calls against the SearchIndex require the correct access permission as configured by the Windows Authentication settings in your web.config of the Application Server.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 identitymanager-support over 3 years ago in reply to Markus Weiss-Ehlers
No problem, Markus.

In the meantime we've tried a new server and managed to do it.

The configuration with SSL works. And the search index also seems to be built correctly, what the lines tell me

INFO (Indexing ) : Index is incomplete (100%); indexing will continue in 3000 ms

Take the opportunity to ask some more questions:
- is there a limit to the number of app servers with search indexes?
- Lines like this keep appearing in the log

INFO (AppServer ) : Could not find authentication data for session 2C72CXU2KtSQCpPAl397, it may have expired

what do they mean?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Markus Weiss-Ehlers over 3 years ago in reply to identitymanager-support

identitymanager-support said:
is there a limit to the number of app servers with search indexes?

No there is no limit. By default, every application server you are installing contains a search indexer. But you should have in mind, that every indexer put some additional load (a small one) onto the database.

The error message could be caused by connection attempts using a session cookie, where the session has already expired.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Endpoint Privilege Management

REST-API with ADS user account as Authentication Module --> 401 Unauthorized