Using NTLM Authentication when Integration Server Acts as the Client

When Integration Server executes services that access web pages, Integration Server behaves like a web client making a request to a web server. Integration Server supports NTLM (Windows NT LAN Manager) authentication on the connection from Integration Server to web servers that support NTLM authentication. When properly configured for NTLM client support, Integration Server responds to an NTLM challenge from a web server with the appropriate authentication credentials.

You can use Integration Server to enable NTLM authentication support for service requests where Integration Server acts as the client. Integration Server provides two variants of NTLM client support:

• Java-based NTLM for UNIX platforms and Windows systems.
• Native NTLM for Windows systems.

  For Native NTLM, Integration Server uses Integrated Windows authentication as a means of authenticating its identity while establishing connections between Integration Server and web servers on an intranet.

This appendix explains how to use NTLM authentication with Integration Server when Integration Server acts as the client only.

By default, Integration Server uses Java-based NTLM support. The Java-based NTLM support can be used on UNIX as well as Windows platforms.

Integration Server responds to an NTLM challenge from a web server with the appropriate authentication credentials, whether Integration Server runs on Windows, UNIX, or another supported platform.

Java-based NTLM authentication in Integration Server has the following limitations:

• Java-based NTLM authentication supports NTLMv2 only.
• Java-based NTLM authentication does not support NTLMv1.
• Java-based NTLM authentication can be used with HTTP and HTTPS.
• Java-based NTLM authentication in Integration Server does not work with NTLM proxy servers.

When using Java-based NTLM client authentication, keep the following information in mind:

• You must provide the authentication credentials explicitly. While providing the authorization information, you must prefix the domain name followed by a backslash (\) before the username. For example, when using NTLM as the authentication type for an invocation of the pub.client:http service, you must specify a value for the user input parameter using the format: domain_name\user_name

  For more information about setting auth type in the pub.client:http service, see webMethods Integration Server Built-In Services Reference.

• The NTLM server must be configured to send the “NTLM” header and the “Negotiate” header. If Integration Server receives only the “Negotiate” header, the NTLM handshake will not take place.

If Integration Server runs on Windows, Integration Server can use the “native” NTLM support which uses Integrated Windows authentication as a means of authenticating Integration Server’s identity. Integrated Windows authentication authenticates a user without requiring the transmission of actual passwords or sensitive account information across the network.

Which credentials Integration Server uses when responding to an Integrated Windows authentication request depends on whether Integration Server runs as a standalone application or as an NT service:

• If Integration Server runs as a standalone application, it uses the credentials of the logged in Windows user.
• If Integration Server runs as an NT service, it uses the local system rights for authentication. If you log on as a user, Integration Server uses the credentials associated with that session when responding to an Integrated Windows authentication

Native NTLM authentication in Integration Server has the following limitations:

• Native NTLM authentication is for Windows systems only.
• Native NTML authentication supports HTTP only.
• Native NTLM authentication is not supported for NTLM proxy servers.
• For Integration Server to use native NTLM support the web server must support Integrated Windows authentication. Microsoft Internet Information Server (IIS) is an example of a web server that supports Integrated Windows authentication.

To use native NTML authentication on Integration Server, you must first activate Integrated Windows authentication on Integration Server. For information about activating Integrated Windows authentication, seeActivating Integrated Windows Authentication.