Rest API on 7.1 cannot authenticate

Hi all,

I'm trying to access my IM through web  API:

if I get  appserver/authmodules

it returns

 
Id Caption Password Based Is Default
RoleBasedManualADS Active Directory user account (manual input/role based) false false
RoleBasedADSAccount Active Directory user account (role based) false false
DialogUser System user false true
RoleBasedPerson Employee (role based) false false
ADSAccount Active Directory user account false false
DynamicPerson Employee (dynamic) false false

I'm trying to use the DialogUser method

in the follow way:

calling auth/apphost

with in the body the following json as decribed in the documentation:

{"authString":"Module=DialogUser;User=*SystemUsername*;Password=*SystemUserPassword*"}

 

but I get a 401 - Unauthorized: Access is denied due to invalid credentials

 but the user is an admin user and has all the privileges.

Should I enabled the user to something?

 

Thanks Mik

  • Hi Mik

    Usually "invalid credentials" does mean that there is an error in the username / password combination. I assume you've already checked that.
    Could you post more of your authentication / connection code to check wether there are other issues around handling the authentication?

    HTH
    Carsten
  • In reply to carsten.paul:

    I'm trying to connect with a rest client (Postman) to test the api before implementing the logic

    Using POST request with header: Content-Type:application/javascript

    and passing in the body the json string written in the post before

     

  • In reply to michele.polizio:

    It might be an issue with your rest client. Did you try using the same credentials applied to the powershell samples added to the API reference doc to check wether you're credentials do work at all?
  • In reply to carsten.paul:

    Same error using the powershell example support.oneidentity.com/.../15
    If I go to myhost/D1IMAppServer thorugh web I can successfully login with the same username and password.
  • In reply to michele.polizio:

    What version of 1IM are you using?
  • In reply to carsten.paul:

    7.1

    If I try API with D1IMAppServer/swagger-ui/#!/Collections/entities__table__get iinside the API documentation with the button Try it they worked

  • In reply to michele.polizio:

    Using the correct syntax / command sequence in powershell it did work for me using 7.1.0 and 7.1.1 in several occasions:


    $authdata = @{AuthString="Module=DialogUser;User=<user>;Password=<pwd>"}
    $authJSON = ConvertTo-JSON $authdata -Depth 2

    Invoke-RestMethod -Uri "http://<url>" -Body $authJSON.ToString() -Method Post -UseDefaultCredentials -Headers @{Accept="application/json"} -SessionVariable $wsession

  • In reply to carsten.paul:

    I used the same instructions .
    Did you use and admin user? how did you create it?
  • In reply to michele.polizio:

    Update:
    the powershell example works if I made it from a machine inside the domain.
    it doesn't work it I made it outside. I can access to the web iterface of the Appserver but not to the rest service.
    But is strange that is IIS that tell me I'm unathorized
  • In reply to michele.polizio:

    It is not strange that the IIS gives you 401 when you are not authorized. This is the normal behavior. I think you have configured to use windows authentication for the AppServer in the IIS.
  • In reply to michele.polizio:

    If you're connecting to the Application Server from outside of the application servers domain, you've to authenticate against the domain first before authenticating towards the application server.
  • In reply to carsten.paul:

    1)Can i disabled it? Just the firse authentication part?
    2) Or How can I force an autenthication from a web based application to autenthicate agaist the domain before send the username and password from json?
    3) If I get autenthicate in the answer from the server I get this (IN dev I have ton restriction so it works) :

    {
    "claims": {
    "schemas.dell.com/.../identifier": "CCCAdmin",
    "schemas.dell.com/.../useruid": "CCC-65E9B3D39FFE925C4D7747A69876C128",
    "schemas.dell.com/.../module": "DialogUser",
    "schemas.dell.com/.../product": ""
    },
    "passwordBased": true,
    "moduleDisplay": "System user",
    "sessionId": "t0w0JxsyplKZiqqlEQz7",
    "userName": "CCCAdmin",
    "responseStatus": {}
    }

    I think the sessionId is what I need to call API as authenitcated user. But where I have to put it in the request? as header?
    I'd like to use a javascript framework the interrogate rest service with ajax request.

    If I put in a ajax post request the json upon as body of the request it works but how I have to do for get requests?

    Mik

  • In reply to michele.polizio:

    The authentication part would be there even without 1IM. This i windows security behaviour when trying to access ressources in domain A while using a user from an untrusted domain B. So you've to find a way to add authentication to your tool you're using. As this is far beyond from 1IM i'd suggest reaching out to the tool support or if you're developing the solution using Java research in the java developer docs on how to handle windows authentication.
    You've got no issue with 1IM or the 1IM application server, all you're trouble is around basic windows behaviour.
  • In reply to carsten.paul:

    I noticed that the only differnce between where work and where not is that whre not work I have https enable
  • In reply to michele.polizio:

    I resolved it.
    Just enable anonymous authentication in IIS Manager selecting the application and click on icon Authentication under IIS options.