Add PingCastle KB: Scheduler/Agent 401 Unauthorized Error (#749)

* Add PingCastle KB: scheduler/agent 401 Unauthorized error

- Add KB article for scheduler and agent deployment 401 Unauthorized error, with images
- Enable KB support for PingCastle in kb_allowlist.json and products.js
- Add _category_.json for PingCastle KB sidebar
- Add sidebar_position to all 7 PingCastle 3.5 docs to fix KB appearing at top of sidebar

* fix(vale): auto-fix substitutions and removals

* fix(vale): auto-fix rewrites (AI-assisted)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(dale): auto-fix documentation issues (AI-assisted)

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 3 people

docs/kb/pingcastle/0-images/iis-anonymous-authentication-enable.png

@@ -0,0 +1,6 @@
+{
+  "label": "Knowledge Base",
+  "position": 999,
+  "collapsed": true,
+  "collapsible": true
+}

docs/kb/pingcastle/0-images/iis-authentication-settings.png

@@ -0,0 +1,76 @@
+---
+title: "Scheduler or Agent Deployment Returns 401 Unauthorized Error"
+description: "Resolve a 401 Unauthorized error when using the PingCastle scheduler or agent deployment via command line or Swagger."
+---
+
+# Scheduler or Agent Deployment Returns 401 Unauthorized Error
+
+## Related Queries
+
+- "Receiving 401 unauthorized error when I launch the scheduler."
+- "I have followed the steps to install with the appropriate rights and still get a 401 unauthorized error when trying to use the scheduler."
+- "PingCastle agent unable to connect to API."
+- "PingCastle swagger endpoint does not work."
+
+## Symptom
+
+> **NOTE:** If you are using the scheduler functionality from the PingCastle web application and your app pool manages the tasks, this article does not apply to your setup.
+
+When attempting to use the scheduler for automation in PingCastle Pro or PingCastle Enterprise, or when sending data via command line or Swagger, you receive a 401 Unauthorized error. This issue has been persistent since the initial setup and has never worked automatically, requiring manual intervention.
+
+Example log entries:
+
+```
+Starting the task: Retrieve Settings via API
+[17:22:37] API Login OK
+Exception: The remote server returned an error: (401) Unauthorized.
+Task Retrieve Settings via API completed
+
+Starting the task: Send via API
+[17:24:24] API Login OK
+domain.local
+Exception: The remote server returned an error: (401) Unauthorized.
+Task Send via API completed
+```
+
+## Cause
+
+This issue occurs due to one or more of the following:
+
+- An incorrect or mismatched API key in the scheduler, command line, or Swagger configuration
+- **Anonymous Authentication** not enabled in IIS on the server hosting the PingCastle web application
+- In some cases, insufficient permissions for the service account
+
+## Resolution
+
+1. In the PingCastle web application, navigate to **Configuration → Agents** to view the available API keys.
+
+   ![Configuration menu with Agents option highlighted](0-images/pingcastle-configuration-agents-menu.png)
+
+2. Locate the API key being used and compare it to the key configured in your command line, Swagger endpoint, or scheduler settings. Correct any mismatch.
+
+   ![Agents page showing API keys, authorization types, and owner](0-images/pingcastle-api-keys-table.png)
+
+3. Open **Task Scheduler** on the server, navigate to **Task Scheduler Library → PingCastle**, and verify that the API key configured in each scheduled task is correct.
+
+4. Open **IIS Manager** on the server hosting the PingCastle Pro or PingCastle Enterprise web application.
+
+5. In the left pane, expand **Sites** and select **PingCastlePro** or **PingCastleEnterprise**.
+
+   ![IIS Manager with PingCastleEnterprise site selected and Authentication icon visible](0-images/iis-manager-site-selection.png)
+
+6. Double-click **Authentication** in the center pane.
+
+   ![Authentication settings showing Anonymous Authentication disabled and Windows Authentication enabled](0-images/iis-authentication-settings.png)
+
+7. Right-click **Anonymous Authentication** and select **Enable**.
+
+   ![Context menu for enabling Anonymous Authentication in IIS](0-images/iis-anonymous-authentication-enable.png)
+
+8. Test the scheduler or agent again to confirm that the 401 Unauthorized error is resolved.
+
+> **NOTE:** Changes to authentication settings in IIS take effect immediately; you do not need to restart IIS. Ensure that the scheduler configuration matches the settings in PingCastle Pro or PingCastle Enterprise. For more information, refer to [API Setup](https://docs.netwrix.com/docs/pingcastle/3_5/proinstall#api-key-and-endpoint).
+
+## Related Links
+
+- [API Setup](https://docs.netwrix.com/docs/pingcastle/3_5/proinstall#api-key-and-endpoint)

docs/kb/pingcastle/0-images/iis-manager-site-selection.png

@@ -1,3 +1,6 @@
+---
+sidebar_position: 1
+---
 # PingCastle Enterprise Installation and Configuration
 
 import Tabs from '@theme/Tabs';
@@ -384,7 +387,7 @@ If you need to import reports larger than 200MB manually, you'll need to adjust
    ```
 
 :::warning
-This setting only affects the client-side validation. Ensure your IIS upload limit (configured above) is set appropriately to handle files of this size.
+This setting only affects the client-side validation. Ensure your IIS upload limit (configured earlier) is set appropriately to handle files of this size.
 :::
 
 :::note
@@ -1419,7 +1422,7 @@ PingCastle Enterprise can run on any infrastructure that supports ASP.NET Core 8
 
 **Windows with IIS (Manual Installation)**
 - [Host ASP.NET Core on Windows with IIS](https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/)
-- Follow the steps outlined above: extract ZIP, create IIS website, disable Default Web Site, configure app pool, and set SQL permissions
+- Follow the steps outlined earlier: extract ZIP, create IIS website, disable Default Web Site, configure app pool, and set SQL permissions
 
 **Linux (Limited Support - Manual Installation)**
 - [Host ASP.NET Core on Linux with Nginx](https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-nginx)
@@ -1968,7 +1971,7 @@ Proxy settings rely on the current user proxy configuration, which can be define
 <details>
 <summary>Configuring SAML2 with Okta</summary>
 
-Configure PingCastle Enterprise with Okta as your SAML2 identity provider using the steps below.
+Configure PingCastle Enterprise with Okta as your SAML2 identity provider using the following steps.
 
 #### Step 1 Access Okta Admin Portal
 
@@ -2165,7 +2168,7 @@ If the certificate can't be recognized, an error is displayed:
 
 ![Certificate Not Recognized](/images/pingcastle/enterpriseinstall/Authentication/cert-not-recognized.webp)
 
-Ensure the user account login matches one of the certificate identifiers listed above.
+Ensure the user account login matches one of the certificate identifiers listed earlier.
 
   </TabItem>
 </Tabs>
@@ -2256,7 +2259,7 @@ The Email configuration section in appsettings.json supports both providers:
 
 The email functionality sends password reset requests and notifications such as weekly reports.
 
-For detailed instructions on configuring Modern Authentication with Office 365, see the section below.
+For detailed instructions on configuring Modern Authentication with Office 365, see the following section.
 
 ### Modern Authentication with Office 365 Using Graph API
 
@@ -3194,7 +3197,7 @@ logging is enabled).
 ### Connection tests
 
 To verify the connection is properly configured, you can sync a domain using
-the button described above.
+the button described earlier.
 
 If there is an error, it will be displayed as an exception.
 

docs/kb/pingcastle/0-images/pingcastle-api-keys-table.png

@@ -1,3 +1,6 @@
+---
+sidebar_position: 2
+---
 # PingCastle Enterprise Upgrade Guide
 
 ## Before proceeding to the upgrade
@@ -13,14 +16,14 @@ each page.
 
 **Database backup**
 
-We highly recommend to backup the data before proceeding to an upgrade.
+Netwrix highly recommends backing up the data before proceeding with an upgrade.
 
-The data is stored I the database. No data is stored outside of the DB.
+The data is stored in the database. No data is stored outside of the DB.
 
 # Software requirements
 
 Before performing the upgrade, the software requirements for the new
-version need to be met. The table below lays out the different
+version need to be met. The following table lays out the different
 requirements for versions.
 
 | Version    | Requirement                              |