Consuming a REST service with Windows Integrated Auth (NTLM) from Integration Server 10.3 on Linux

, ,
1

Hi Folks,

I’m looking for how to consume a REST service that employs Windows Integrated Authentication, from an Integration Server 10.3 hosted in a Linux box.
From the ‘10.3 IS Administrators Guide’, page 1170, says

“[…] When acting as a client, Integration Server responds to
an NTLM challenge from a web server with the appropriate authentication credentials,
whether Integration Server runs on Windows, UNIX, or another supported platform.”

Having this said, has anyone got success in consuming a REST service that requires NTLM auth, from an IS [10.3] running on a Linux box?

Additional info:

  • during the attempts, we’ve switched the authentication method to use Basic Auth and the IS consumes the service (through the pub.client:http service) swiftly. Therefore, the issue is indeed the authentication;
  • switching the auth method back to “Windows Integrated Authentication” it refuses to work, throwing error (the error message is not the original one, it is ‘wrapped’, saying that “non-trusted login is not accepted”);
  • and one of the tests involved setting the pub.client:http’s input as below, and it didn’t work out.
auth/type = "NTLM"
auth/user =  "<domain>\<username>"

So… any thoughts?

2

Hi Feng Sian,
What is the IS Core fix level? Can you try using DOMAIN/user or user@DOMAIN format while sending the request via pub.client:http?

4

The " Name Variations" format supported can be found at The NTLM Authentication Protocol and Security Support Provider (sourceforge.net)

5

Sorry for the late response.

It is on IS_10.3_Core_Fix8.
I’ve tried both formats (DOMAIN/user and user@DOMAIN) but none worked…

6

I assume you tried domain\user (backslash, not slash).

Do you have access to the original message? I’ve had to learn over the years (repeatedly :slight_smile: ) to trust the error message. It often indicates exactly what the issue but we often misinterpret. Perhaps the original message will trigger an idea from someone.

The BIS reference for pub.client:http has this description:

When using NTLM, Integration Server supports authentication for both HTTP and
HTTPS. Web server providing NTLM authentication must be configured to return the
response header WWW-Authenticate: NTLM and optionally the header WWW-Authenticate:
Negotiate. If the NTLM server returns only WWW-Authenticate: Negotiate header, then
authentication cannot proceed.

7

Hi @Feng_Sian5 , I would suggest to try again with latest IS 10.3 Core fix (IS_10.3_Core_Fix14) and with format I mentioned earlier.

8

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.