Automatic NTLM Authentication for WSO2 ESB

» wso2 » Automatic NTLM Authentication for WSO2 ESB

By : Idris Miles

Date : November 29 2020, 09:01 AM

it should still fix some issue There were a few components to getting this working correctly. It's hard to find it all written down in one place, so I'll attempt to provide an end-to-end overview here.
I first had to use a class mediator within my WSO2 ESB in-sequence to handle the sending and the NTLM authentication. The class mediator references a custom class which takes the message context from the mediation flow (called the Synapse message context) and extracts the SOAP envelope. I then loaded the Synapse SOAP envelope into an Axis2 message context object. I then used an Axis2 client along with the message context to submit my authenticated request to the server. The authentication for NTLM through Axis2 comes from the JCIFS_NTLMScheme class, which you can reference here.

code :

public class NTLMAuthorisation extends AbstractMediator {

  public boolean mediate(MessageContext context){

    //Mediation Logic  

    return true;  

  }  

}

public class NTLMAuthorisation extends AbstractMediator { 

    private String soapAction;
    private String soapEndpoint;
    private String domain;
    private String host;
    private int port;
    private String username;
    private String password;

    public boolean mediate(MessageContext context) { 

        //Mediation Logic

        return true;

    }

    public void setSoapAction(String _soapAction){
        soapAction = _soapAction;
    }

    public String getSoapAction(){
        return soapAction;
    }

    public void setSoapEndpoint(String _soapEndpoint){
        soapEndpoint = _soapEndpoint;
    }

    public String getSoapEndpoint(){
        return soapEndpoint;
    }

    public void setDomain(String _domain){
        domain = _domain;
    }

    public String getDomain(){
        return domain;
    }

    public void setHost(String _host){
        host = _host;
    }

    public String getHost(){
        return host;
    }

    public void setPort(int _port){
        port = _port;
    }

    public int getPort(){
        return port;
    }

    public void setUsername(String _username){
        username = _username;
    }

    public String getUsername(){
        return username;
    }

    public void setPassword(String _password){
        password = _password;
    }

    public String getPassword(){
        return password;
    }

}

<dependency>
  <groupId>org.samba.jcifs</groupId>
  <artifactId>jcifs</artifactId>
  <version>1.3.17</version>
</dependency>

public boolean mediate(MessageContext context) { 

    //Build NTLM Authentication Scheme
    AuthPolicy.registerAuthScheme(AuthPolicy.NTLM, JCIFS_NTLMScheme.class);
    HttpTransportProperties.Authenticator auth = new HttpTransportProperties.Authenticator();
    auth.setUsername(username);
    auth.setPassword(password);
    auth.setDomain(domain);
    auth.setHost(host);
    auth.setPort(port);
    ArrayList<String> authPrefs = new ArrayList<String>();
    authPrefs.add(AuthPolicy.NTLM);
    auth.setAuthSchemes(authPrefs);

    //Force Authentication - failures will get caught in the catch block
    try {

        //Build ServiceClient and set Authorization Options
        ServiceClient serviceClient = new ServiceClient();
        Options options = new Options();
        options.setProperty(org.apache.axis2.transport.http.HTTPConstants.AUTHENTICATE, auth);
        options.setTransportInProtocol(Constants.TRANSPORT_HTTP);
        options.setTo(new EndpointReference(soapEndpoint));
        options.setAction(soapAction);
        serviceClient.setOptions(options);

        //Generate an OperationClient from the ServiceClient to execute the request
        OperationClient opClient = serviceClient.createClient(ServiceClient.ANON_OUT_IN_OP);

        //Have to translate MsgCtx from Synapse to Axis2
        org.apache.axis2.context.MessageContext axisMsgCtx = new org.apache.axis2.context.MessageContext();  
        axisMsgCtx.setEnvelope(context.getEnvelope());
        opClient.addMessageContext(axisMsgCtx);

        //Send the request to the server
        opClient.execute(true);

        //Retrieve Result and replace mediation (synapse) context
        SOAPEnvelope result = opClient.getMessageContext(WSDLConstants.MESSAGE_LABEL_IN_VALUE).getEnvelope();
        context.setEnvelope(result);

    } catch (AxisFault e) {

        context.setProperty("ResponseCode", e.getFaultCodeElement().getText());

        return false; //This stops the mediation flow, so I think it executes the fault sequence?

    }

    return true;

}

Share :

The HTTP request is unauthorized with client authentication scheme 'Ntlm' The authentication header received from the se

By : user1905928

Date : March 29 2020, 07:55 AM

it should still fix some issue After a lot of trial and error, followed by a stagnant period while I waited for an opportunity to speak with our server guys, I finally had a chance to discuss the problem with them and asked them if they wouldn't mind switching our Sharepoint authentication over to Kerberos.
To my surprise, they said this wouldn't be a problem and was in fact easy to do. They enabled Kerberos and I modified my app.config as follows:

code :

<security mode="Transport">
    <transport clientCredentialType="Windows" />
</security>

<system.serviceModel>
    <bindings>
        <basicHttpBinding>
            <binding name="TestServerReference" closeTimeout="00:01:00" openTimeout="00:01:00"
             receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
             bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
             maxBufferSize="2000000" maxBufferPoolSize="2000000" maxReceivedMessageSize="2000000"
             messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
             useDefaultWebProxy="true">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                 maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                <security mode="Transport">
                    <transport clientCredentialType="Windows" />
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>
    <client>
        <endpoint address="https://path/to/site/_vti_bin/Lists.asmx"
         binding="basicHttpBinding" bindingConfiguration="TestServerReference"
         contract="TestServerReference.ListsSoap" name="TestServerReference" />
    </client>
</system.serviceModel>

Access Web Service with Basic authentication through a proxy with Windows (NTLM) authentication

By : ikisuru

Date : March 29 2020, 07:55 AM

this one helps. The 400 error is not related to the issue. Authorisation with the NTLM proxy seems to be working with this config.
UPDATE:

The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the s

By : Slaveak

Date : March 29 2020, 07:55 AM

like below fixes the issue In the end I was given permissions in their server: more precisely in the database which was the one that wouldn't let me create the web part in the server. Once this was done, the call to the webservice worked just fine, because they have the web.config correctly configured.

The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the s

By : Deepak Agarwal

Date : March 29 2020, 07:55 AM

fixed the issue. Will look into that further You can eliminate the client from the problem by using wftech, this is an old tool but I have found it useful in diagnosing authentication issues. wfetch allows you to specify NTLM, Negotiate and kerberos, this may well help you better understand your problem. As you are trying to call a service and wfetch knows nothing about WCF, I would suggest applying your endpoint binding (PROVIDERSSoapBinding) to the serviceMetadata then you can do an HTTP GET of the WSDL for the service with the same security settings.
Another option, which may be available to you is to force the server to use NTLM, you can do this by either editing the metabase (IIS 6) and removing the Negotiate setting, more details at http://support.microsoft.com/kb/215383.

webpack-dev-server hot reloading proxy IIS Express with Windows authentication (NTLM Authentication)

By : Michel

Date : March 29 2020, 07:55 AM

will help you After looking at the documentation for webpack-dev-server Proxy I saw that they use http-proxy-middleware.
https://webpack.github.io/docs/webpack-dev-server.html#proxy

code :

npm install agentkeepalive --save

var proxy = 'localhost:57263';

devServer: {
    proxy: {
        '*': {
            target: 'http://' + proxy,
            changeOrigin: true,
            agent: new agent({
                maxSockets: 100,
                keepAlive: true,
                maxFreeSockets: 10,
                keepAliveMsecs: 100000,
                timeout: 6000000,
                keepAliveTimeout: 90000 // free socket keepalive for 90 seconds
            }),
            onProxyRes: (proxyRes) => {
                var key = 'www-authenticate';
                proxyRes.headers[key] = proxyRes.headers[key] && proxyRes.headers[key].split(',');
            },
        },
        port: 8080,
        host: '0.0.0.0',
        hot: true,
    },
}

Related Posts :

Do I need to patch my ESB (4.8.1)

Is there any API available to perform publisher operations on WSO2 Governance Registry?