Consuming a REST service with Windows Integrated Auth (NTLM) from Integration Server 10.3 on Linux

Feng_Sian5 · September 21, 2020, 5:40pm

Hi Folks,

I’m looking for how to consume a REST service that employs Windows Integrated Authentication, from an Integration Server 10.3 hosted in a Linux box.
From the ‘10.3 IS Administrators Guide’, page 1170, says

“[…] When acting as a client, Integration Server responds to
an NTLM challenge from a web server with the appropriate authentication credentials,
whether Integration Server runs on Windows, UNIX, or another supported platform.”

Having this said, has anyone got success in consuming a REST service that requires NTLM auth, from an IS [10.3] running on a Linux box?

Additional info:

during the attempts, we’ve switched the authentication method to use Basic Auth and the IS consumes the service (through the pub.client:http service) swiftly. Therefore, the issue is indeed the authentication;
switching the auth method back to “Windows Integrated Authentication” it refuses to work, throwing error (the error message is not the original one, it is ‘wrapped’, saying that “non-trusted login is not accepted”);
and one of the tests involved setting the pub.client:http’s input as below, and it didn’t work out.

auth/type = "NTLM"
auth/user =  "<domain>\<username>"

So… any thoughts?

Jaideep · February 16, 2021, 6:25am

Hi Feng Sian,
What is the IS Core fix level? Can you try using DOMAIN/user or user@DOMAIN format while sending the request via pub.client:http?

Jaideep · February 16, 2021, 6:28am

The " Name Variations" format supported can be found at The NTLM Authentication Protocol and Security Support Provider (sourceforge.net)

Feng_Sian5 · March 4, 2021, 5:56pm

Sorry for the late response.

It is on IS_10.3_Core_Fix8.
I’ve tried both formats (DOMAIN/user and user@DOMAIN) but none worked…

reamon · March 4, 2021, 8:15pm

I assume you tried domain\user (backslash, not slash).

Do you have access to the original message? I’ve had to learn over the years (repeatedly ) to trust the error message. It often indicates exactly what the issue but we often misinterpret. Perhaps the original message will trigger an idea from someone.

The BIS reference for pub.client:http has this description:

When using NTLM, Integration Server supports authentication for both HTTP and
HTTPS. Web server providing NTLM authentication must be configured to return the
response header WWW-Authenticate: NTLM and optionally the header WWW-Authenticate:
Negotiate. If the NTLM server returns only WWW-Authenticate: Negotiate header, then
authentication cannot proceed.

Jaideep · March 5, 2021, 4:54am

Hi @Feng_Sian5 , I would suggest to try again with latest IS 10.3 Core fix (IS_10.3_Core_Fix14) and with format I mentioned earlier.

system · June 3, 2021, 4:54am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.