webMethods

Hi Folks,

I’m looking for how to consume a REST service that employs Windows Integrated Authentication, from an Integration Server 10.3 hosted in a Linux box.
From the ‘10.3 IS Administrators Guide’, page 1170, says

“[…] When acting as a client, Integration Server responds to
an NTLM challenge from a web server with the appropriate authentication credentials,
whether Integration Server runs on Windows, UNIX, or another supported platform.”

Having this said, has anyone got success in consuming a REST service that requires NTLM auth, from an IS [10.3] running on a Linux box?

Additional info:

• during the attempts, we’ve switched the authentication method to use Basic Auth and the IS consumes the service (through the pub.client:http service) swiftly. Therefore, the issue is indeed the authentication;
• switching the auth method back to “Windows Integrated Authentication” it refuses to work, throwing error (the error message is not the original one, it is ‘wrapped’, saying that “non-trusted login is not accepted”);
• and one of the tests involved setting the pub.client:http’s input as below, and it didn’t work out.

auth/type = "NTLM"
auth/user =  "<domain>\<username>"

So… any thoughts?

Hi Feng Sian,
What is the IS Core fix level? Can you try using DOMAIN/user or user@DOMAIN format while sending the request via pub.client:http?

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

The " Name Variations" format supported can be found at The NTLM Authentication Protocol and Security Support Provider (sourceforge.net)

Sorry for the late response.

It is on IS_10.3_Core_Fix8.
I’ve tried both formats (DOMAIN/user and user@DOMAIN) but none worked…

I assume you tried domain\user (backslash, not slash).

Do you have access to the original message? I’ve had to learn over the years (repeatedly ) to trust the error message. It often indicates exactly what the issue but we often misinterpret. Perhaps the original message will trigger an idea from someone.

The BIS reference for pub.client:http has this description:

When using NTLM, Integration Server supports authentication for both HTTP and
HTTPS. Web server providing NTLM authentication must be configured to return the
response header WWW-Authenticate: NTLM and optionally the header WWW-Authenticate:
Negotiate. If the NTLM server returns only WWW-Authenticate: Negotiate header, then
authentication cannot proceed.

Hi @Feng_Sian5 , I would suggest to try again with latest IS 10.3 Core fix (IS_10.3_Core_Fix14) and with format I mentioned earlier.