401 Unauthorized response through API

Hi everyone,

This is my Powershell script to login:

$url='http://[AppServerIP]/AppServer/auth/apphost'

$bi=@{
"authString"="Module=DialogUser;User=***;Password=***"

}
$authJson = ConvertTo-Json $bi -Depth 2

$LoginRequest2 = Invoke-RestMethod -Uri $url -Body $authJson.ToString() -Method POST -UseDefaultCredentials -Headers @{Accept="application/json"} -SessionVariable session2
$LoginRequest2.Content

But I receive "401 Unauthorized" response. I verify and in web.config file the Anonymous authentication is disabled and the Windows Authentication is enabled. If I enable the Anonymous authentication I can login.

I want use the Windows Authentication for Security reasons.

I use OIM version 8.1.5.

Can someone help me?

Thanks in advance,

Giuseppe

Parents

0 Markus Weiss-Ehlers 9 months ago

The "Windows Authentication" is done by the IIS underneath. And to do so you need to specify the windows credentials in your PowerShell call (Invoke-restmethod).

A quick Google search gave me this.

To authenticate with Windows Authentication, you can use the -UseDefaultCredentials parameter of Invoke-RestMethod and Invoke-WebRequest . This will perform negotiate authentication whether you are running inside IIS or a service.

https://docs.powershelluniversal.com/api/security
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 g petraglia 9 months ago in reply to Markus Weiss-Ehlers

Hi Markus,

Thanks for you response. Now with the parameter "-UseDefaultCredentials" I can authenticate the user used into the PowerShell script if I run the script from the same machine where the AppServer is located.

But if I use the same script from another machine it gives to me the same "401 Unauthorized" error. This is strange because if i try to log from the machine where i receive the error with the same script's user through the AppServer Web Portal I can log in. It seems not to be a network error.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Markus Weiss-Ehlers 9 months ago in reply to g petraglia
You can try to explicitly provide your credentials using the -Credential parameter like this.

$Cred = Get-Credential Invoke-RestMethod -Credential $Cred .......
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Markus Weiss-Ehlers 9 months ago in reply to Markus Weiss-Ehlers

In addition, did you check the log of the application server?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 Markus Weiss-Ehlers 9 months ago in reply to Markus Weiss-Ehlers

In addition, did you check the log of the application server?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

0 g petraglia 9 months ago in reply to Markus Weiss-Ehlers

Hi Markus,

I've resolved the issue adding an extra API before the code that I've reported above. So my code now is:

$Cred = Get-Credential
$url1='http://[IPAppServer]'
$url3='http://[IPAppServer]/AppServer/auth/apphost'

$LoginRequest1 = Invoke-RestMethod -Uri $url1 -Credential $Cred -SessionVariable session1

$bi3=@{
"authString"="Module=RoleBasedManualADS;User=****;Password=****"

}
$authJson = ConvertTo-Json $bi3 -Depth 2
$LoginRequest3 = Invoke-RestMethod -Uri $url3 -Body $authJson.ToString() -Method POST -WebSession $session1

With this code I can log in and I can do API. I've learned that $LoginRequest1 send the request to the AppServer machine and save to session in $session1. Using $session1 I can log in into OIM AppServer with LoginRequest3.

I think that this is done because the Anonymous Authentication is disabled and so I must authenticate before. But what changes for the fat client connections and web connections if I enable the Anonymous Authentication? Is it a best practice to disable the Anonymous Authentication?

Thanks for your help.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Endpoint Privilege Management

401 Unauthorized response through API