PIM- REST API Authorization error with AD Accounts

Document ID : KB000117948
Last Modified Date : 22/10/2018
Show Technical Document Details
Issue:
Symptoms:
  • Authorization is failing with the¬†error below¬†when trying to submit REST API Requests to ENTM using an Active Directory (AD) account:
    • "User: <username here> is unauthorize to access this environment - ac."
  • The AD Account IS able to login normally via the GUI
  • Other accounts may or may not be able to use REST successfully
Environment:
PIM REST API
Multiple AD User Stores
Any REST Client
Cause:
ENTM stores AD usernames in the database as their full DN string. In single domain environments this is usually not a problem, but when accounts exist in multiple attached AD Domains it is important to signify which domain it is from. When logging in from the GUI there is a domain field that is used to help find the account, but there is no "domain" field in Basic REST Authentication.
Resolution:
Use the full DN in the username field.
Note: "OU" is not accepted, so please change any "OU" to "CN"

Example: CN=administrator,CN=Users,DC=testlab1,DC=lab
Additional Information:
REST API Documentation:
https://docops.ca.com/ca-privileged-identity-manager/12-9-02/EN/integrating/rest-based-api