Version
Cb Protection 8.0.2322 Patch 4

Issue

REST API calls fail with 401 errors.

Symptoms

1. REST API script fail to connect to the Cb Protection server.

2. IIS server log shows "401" errors

#Software: Microsoft Internet Information Services 7.5

#Version: 1.0

#Date: 2017-08-17 11:06:50

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken

2017-08-17 11:06:50 172.25.86.109 GET /api/bit9platform/v1/computer limit=-1&q=deleted:False&q=template:False 443 - 172.25.86.109 Mozilla/5.0+(Windows+NT;+Windows+NT+6.1;+en-US)+WindowsPowerShell/5.0.10586.117 401 0 0 17067

2017-08-17 11:06:50 172.25.86.109 GET /login.php - 443 - 172.20.11.211 B3M/prober 200 0 0 1216

2017-08-17 11:06:50 172.25.86.109 GET /api/bit9platform/v1/computer limit=-1&q=deleted:False&q=template:False&q=connected:True 443 - 172.25.86.109 Mozilla/5.0+(Windows+NT;+Windows+NT+6.1;+en-US)+WindowsPowerShell/5.0.10586.117 401 0 0 0

3. API log shows this error:

2017-08-18T15:13:21.1508290Z,"Authorization:AuthorizeRequest:",""

2017-08-18T15:13:21.1664292Z,"Authorization:X-Auth-Token path.:",""

2017-08-18T15:13:21.1664292Z,"UnauthorizedAccess:reason:Invalid or missing API Token, Get:fileCatalog:","

Cause
The Cb Protection REST API authentication defaults to the built-in "admin" account.

For authentication to work, this admin account requires a role be assinged to it which includes the "Manage Users" permission .

If that permission is missing an authentication token cannot be assigned and the auth fails with 401 error.

Solution

Assign the admin account a role that includes "Manager Users" permission.

Important Note(s)
It does not matter if the "admin" account is enabled or disabled. Only a role with "Manage Users" permission is required.
This is defect EP-2752 that will be fixed in a future release.