• State Not Answered
  • Replies 5 replies
  • Subscribers 92 subscribers
  • Views 1088 views
  • Users 0 members are here
Options
Related

401 Unauthorized response through API

g petraglia
8 months ago

Hi everyone,

This is my Powershell script to login:


$url='http://[AppServerIP]/AppServer/auth/apphost'

$bi=@{
"authString"="Module=DialogUser;User=***;Password=***"

}
$authJson = ConvertTo-Json $bi -Depth 2

$LoginRequest2 = Invoke-RestMethod -Uri $url -Body $authJson.ToString() -Method POST -UseDefaultCredentials -Headers @{Accept="application/json"} -SessionVariable session2
$LoginRequest2.Content

But I receive "401 Unauthorized" response. I verify and in web.config file the Anonymous authentication is disabled and the Windows Authentication is enabled. If I enable the Anonymous authentication I can login.

I want use the Windows Authentication for Security reasons.

I use OIM version 8.1.5.

Can someone help me?

Thanks in advance,

Giuseppe

  • 0 8 months ago

    The "Windows Authentication" is done by the IIS underneath. And to do so you need to specify the windows credentials in your PowerShell call (Invoke-restmethod).

    A quick Google search gave me this.

    To authenticate with Windows Authentication, you can use the -UseDefaultCredentials parameter of Invoke-RestMethod and Invoke-WebRequest . This will perform negotiate authentication whether you are running inside IIS or a service.

    https://docs.powershelluniversal.com/api/security

  • 0 8 months ago in reply to Markus Weiss-Ehlers

    Hi Markus,

    Thanks for you response. Now with the parameter "-UseDefaultCredentials" I can authenticate the user used into the PowerShell script if I run the script from the same machine where the AppServer is located.

    But if I use the same script from another machine it gives to me the same "401 Unauthorized" error. This is strange because if i try to log from the machine where i receive the error with the same script's user through the AppServer Web Portal I can log in. It seems not to be a network error.

  • 0 8 months ago in reply to g petraglia

    You can try to explicitly provide your credentials using the -Credential parameter like this.

    $Cred = Get-Credential

Invoke-RestMethod -Credential $Cred .......

  • 0 8 months ago in reply to Markus Weiss-Ehlers

    In addition, did you check the log of the application server?

  • 0 8 months ago in reply to Markus Weiss-Ehlers

    Hi Markus,

    I've resolved the issue adding an extra API before the code that I've reported above. So my code now is:

    $Cred = Get-Credential
    $url1='http://[IPAppServer]'
    $url3='http://[IPAppServer]/AppServer/auth/apphost'

    $LoginRequest1 = Invoke-RestMethod -Uri $url1 -Credential $Cred -SessionVariable session1

    $bi3=@{
    "authString"="Module=RoleBasedManualADS;User=****;Password=****"

    }
    $authJson = ConvertTo-Json $bi3 -Depth 2
    $LoginRequest3 = Invoke-RestMethod -Uri $url3 -Body $authJson.ToString() -Method POST  -WebSession $session1

    With this code I can log in and I can do API. I've learned that $LoginRequest1 send the request to the AppServer machine and save to session in $session1. Using $session1 I can log in into OIM AppServer with LoginRequest3.

    I think that this is done because the Anonymous Authentication is disabled and so I must authenticate before. But what changes for the fat client connections and web connections if I enable the Anonymous Authentication? Is it a best practice to disable the Anonymous Authentication?

    Thanks for your help.