Setting up NTLM authentication

Similar Messages

• APEX - NTLM Authentication slow

  I've been trying to set up NTLM authentication for APEX as described on [this blog|http://jastraub.blogspot.com/2008/03/ntlm-http-authentication-and.html] and in [this whitepaper|http://www.oracle.com/technology/products/database/application_express/pdf/apex_ntlm_authentication_wp.pdf].
  The enviroment is as follows:
  DB: 10.1.0.4.2 on a windows 2003 SP2 server
  Application server: 10.1.2.3.0 on a windows 2003 SP2 server
  Clients: windows XP SP2 / IE 6 & 7 (tested both)
  The authentication appears to work fine, but it does seem rather slow (~20 seconds).
  I've tried using the earlier version of the page sentry function (without the hacky bits to trick IE) and this works pretty much instantly in Firefox (but gives the expectected problems in IE).
  I've experimented with commenting various bits out to find out which bit might be causing the issue, and it apears to be when the session cookie is being re-written into the HTTP header
  ie:
  >
  FOR ii IN 1 .. l_htp_rows LOOP
  IF l_htp_buffer(ii) LIKE 'Set-Cookie:%' THEN
  htp.p(l_htp_buffer(ii));
  END IF;
  END LOOP;
  >
  I've been trying to analyze the HTTP traffic, but it just appears that there is a 15-20 second delay before recieving a reponse from the server.
  I've tried logging the steps int he function into a table, and it all seems to happen pretty much instantly, so I guess the issue seems to be occuring on the Apache server?
  Does anyone have any ideas what might be causing this, or any further steps I could take to diagnose?
  Thanks,
  Keith

  I've got absolutely no idea what was causing the problem, but I've dropped recreated the auth procedure, and now it all seems to work fine.
  very odd...

• Setting up an external content type without having to change it to NTLM authentication?

  Referring to: https://www.kenplaysviola.com/content/sharepoint2010-business-connectivity-path-unavailable
  and tested to be true. However, I have a site that I am not using NTLM - is there a way around this??? 

  Hi,
  Based on your description, my understanding is that you can’t 
  set up an external content type with Basic authentication web application.
  What errors have you got?
  I have done a test in my SharePoint, when I opened Basic authentication site with SharePoint Designer, I got an error
  ”Access to this web server is disabled by default because it is controlled by basic authentication and doesn't use SSL…”.
  But I could create an External List in the Basic authentication site successfully. I set up an external content type with NTLM authentication site. Then I created an External List in the Basic authentication
  site which referred to the existing external content type, it worked fine.
  So if you don’t want to change your web Application to NTLM authentication, try to create another web Application with NTLM authentication, then create a site collection and create an external content type,
  last create an External List in the Basic authentication site referring to the existed external content type in NTLM authentication site.
  Also, here is a blog about 
  Access denied by Business Data Connectivity, you can take a look at:
  http://blogs.msdn.com/b/ericwhite/archive/2010/06/11/access-denied-by-business-data-connectivity.aspx
  Best Regards,
  Lisa Chen

• Public-facing on-premises SharePoint with NTLM authentication

  I've been searching for authentication best practices for public-facing SharePoint site but I didn't find any useful resources on the issue that is troubling me.
  Assume I set up a web application with Classic NTLM authentication. On that web application I enable
  Anonymous access. This means that users inside organization's network will be able to authenticate (actually use SSO) using organization's DC. They will be able to access and administer all content. All other anonymous users will be able to see
  published content only i.e. content which is permitted to anonymous users.
  My question is: Is this kind of setup a security issue because if a potential attacker hacks a WFE then he has direct access to DC?
  Is FBA maybe a better solution for public-facing sites? Or maybe use NTLM, but create a separate domain with one-way trust to organization's domain?

  There are many variations you can take with this - and really you need to consider more than just your content. For true separation:
  I would have a dedicated DC to manage service accounts.
  I would break up my DMZ behind firewall contexts with a reverse proxy publishing SharePoint at the edge.
  proxy/firewall -- SP Server -- Firewall -- SQL/DC
  For true separation you don't want to share any underlying infrastructure with internal either, although in reality logical separation is usually enough.
  Now you have to deal with internal user authentication and how to handle that. The first thing is I would have at minimum two webs available, your primary for editing and the extended version for public access.
  While a one way trust would work - you still do expose user info out to the public which you may not want. With this configuration you could configure people picker to only select from a particular OU to minimize this.
  Another option however is to look at using ADFS between your domains and create the trust there. You would have to configure the farm for claims auth to make this work, but this would eliminate the possibility of probing all the users in AD or the OU you expose.
  With the ADFS method when you update documents you user name is still tagged to content - however if you don't populate the user profiles this will be the only information available about any internal user.
  You may even want to go a step further and when you extend the public site, use forms authentication but don't provide any users. Then there is no authenticated access from the public URL. And with ADFS/Reverse Proxy may you even be able to configure some pre
  authentication for your internal users before they can even reach the internal SharePoint pages.
  I would strongly consider moving to SharePoint 2013 and looking at the cross site publishing (2010 and below have the content publishing - but stay away from that, when it works it's great, but when it doesn't it's a PITA to get back in sync). with cross site
  publishing you have an editing site and the publishing site pulls from the Search index and the permissions are completely separate.

• Invoking a Web Service that Requests NTLM Authentication in BPEL Process

  Hi,
  I am trying to invoke a webservice which requires NTLM Authentication.able to test the service through SOAP ui .
  Followed the steps memntioned in the oracle doc in order to invoke the same service through BPEL Process, some how I am facing issue when BPEL invokes the service. Here is the error message
  oracle.fabric.common.FabricException: oracle.fabric.common.FabricException: Error in getting XML input stream: Response: '401: Unauthorized' for url:
  Oracle doc link  :-
  http://docs.oracle.com/cd/E28280_01/admin.1111/e10226/soacompapp_secure.htm#BABJEBIF
  http://www.albinsblog.com/2014/04/oraclewebservicespreemptivebasicauth.html#.VK5UEiuUeFM
  The above link discuss about the properties that need to be set in composite.xml file in order to invoke the service.
  I am using SOA 11.1.1.6,  tried to implement the same steps but i could see the error message "Unauthorized for url ********** "
  Could you please help me on this.
  Thanks

  Hi Guys ,
  Got to kow that this is a bug. Some how following link helps in sending the payload to webservice which requires NTLM authentication thru JAVA.
  Thoughts Oracle SOA OSB: NTML Authentication - Oracle SOA suite
  Thanks

• Windows NTLM Authentication on SAP 4.6c (Platform AIX)

  I am trying to use NCo 2.0 for C# .Net application with Web Service and C# Web UI.
  My Users are in AD domain and need to authenticate on IIS via AD (Integrated NTLM)
  I need to implement single sign on for SAP integrated application.
  As per NCo documentation: I need to set-up trust relationship between IIS and SAP, use this trusted user (DOMAIN\IUSR_SAPPOOL) and send active directory  id as external id in connection string. All transaction should run with external user id context.
  Can someone help me with following question.
  1. Does NTLM trust relationship / authentication on SAP running on AIX? or Do I have to setup kerberos authetication?
  2. What SNC library needed for SAP (AIX instance)?
  3. How can I configure NTLM authentication on SAP (AIX instance) The NCo 2.0 documents only explains SAP (MS instance) configuration.
  What option do I have to get Single Sign On working?
  Any help is highly appreciated.
  Regards and Thank you in advance.

  > Hi Reiner,
  > Thank you very much for response, this is helpful
  > information.
  If you consider an answer as helpfull, please mark it with the button on the left side :-).
  > My options are pretty much limited,
  > I can't use NTLM since, AIX will not accept trust
  > -- NTLM Auth will not work with AIX
  > -- Kerberos auth have to have third party tool like
  > CyberSafe for SNC trust relationship.
  As I wrote, you can use any SNC provider. Especially Secude would be interesting, as it is available on all platforms.
  > I planning to try using SSO as mentioned in "Enabling
  > Single Sign-On for ASP.NET Applications in Enterprise
  > Portal 6"
  > Is this approach works with EP 5.0?
  This is a completely different approach: In the stuff I was writing to you before I was assuming that IIS would do the authentication. The other approach is that SAP Portal does it. This also works - EP 5.0 should be fine - but it works completely different. E.g. you doesn't need a trusted connection for SSO with MYSAPSSO2 ticket.
  > If any one has "sapsecu.dll" please send me at
  > [email protected] with same size as stated in
  > this document.
  This DLL is not allowed to be exported into some countries because it contains strong cryptography. You usually get it via your local SAP subsiduary.
  > My SSO ticket did not get created after following
  > steps in document, I am suspecting either sapsecu.dll
  > or veryfy.pse is wrong?
  Did you find a MYSAPSSO2 cookie in the request?

• Ntlm authenticated apps fails after 3.1.1 upgrade

  I upgraded my apex instance to 3.1.1 on Friday without any issues. I can log into application builder without any problems and the version 3.1.1.00.09.
  Everything in app builder works as expected. However, when I try to run my NTLM authenticated application, I get errors and the page fails to load.
  Furthermore, this only happens on my 11g database.
  The exact same app, using the same NTLM authentication works just fine on 10g.
  The Apache errors log states:
  mod_plsql: /pls/apex/f HTTP-404 ORA-03113: end-of-file on communication channel\n
  mod_plsql: Unable to reset state for mode 0: Err 3114 url=>/pls/apex/f           I have PlsqlErrorStyle          DebugStyle set, so the page returns a fair amount of data.
  Wed, 28 May 2008 14:07:17 GMT
  ORA-03113: end-of-file on communication channel
    DAD name: apex
    PROCEDURE  : f
    URL        : http://ecydblcyorwqt03.ecy.wa.lcl:80/pls/apex/f?p=127:51:339228564056494:::::
    PARAMETERS :
    ===========
    p:
     127:51:339228564056494:::::
    ENVIRONMENT:
    ============
      PLSQL_GATEWAY=WebDb
      GATEWAY_IVERSION=2
      SERVER_SOFTWARE=Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server
      GATEWAY_INTERFACE=CGI/1.1
      SERVER_PORT=80
      SERVER_NAME=ecydblcyorwqt03.ecy.wa.lcl
      REQUEST_METHOD=GET
      QUERY_STRING=p=127:51:339228564056494:::::
      PATH_INFO=/f
      SCRIPT_NAME=/pls/apex
      REMOTE_HOST=
      REMOTE_ADDR=165.151.57.100
      SERVER_PROTOCOL=HTTP/1.1
      REQUEST_PROTOCOL=HTTP
      REMOTE_USER=ECY\taus461
      ORACLE_SSO_USER=
      OSSO_IDLE_TIMEOUT_EXCEEDED=
      OSSO_USER_GUID=
      HTTP_CONTENT_LENGTH=
      HTTP_CONTENT_TYPE=
      HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
      HTTP_HOST=ecydblcyorwqt03
      HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
      HTTP_ACCEPT_ENCODING=gzip,deflate
      HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
      HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
      HTTP_COOKIE=WEBWPLCS_USER=TAUS461; WEBWPLCS_LAST=04.29.2008 11:41:38; ORA_WWV_R1=%23ALL; ORA_WWV_R2=%23ALL; ORA_WWV_R3=%23ALL; ORA_WWV_REMEMBER_UN=ADMIN:webwplcs; ORACLE_PLATFORM_REMEMBER_UN=ADMIN:webwplcs; ORA_WWV_USER=3B1A5D9EA835D646; WWV_CUSTOM-F_1021906798187125_122=9F806B35C3D9AF51
      HTTP_IF_MODIFIED_SINCE=
      HTTP_REFERER=http://ecydblcyorwqt03/pls/apex/f?p=4000:4150:339228564056494::NO:::
      HTTP_SOAPACTION=
      HTTP_ORACLE_ECID=1211983633:165.151.5.125:6156:6252:488,0
      HTTP_ORACLE_CACHE_VERSION=
      HTTP_AUTHORIZATION=NTLM  xyz
      WEB_AUTHENT_PREFIX=
      DAD_NAME=apex
      DOC_ACCESS_PATH=docs
      DOCUMENT_TABLE=wwv_flow_file_objects$
      PATH_ALIAS=
      REQUEST_CHARSET=AL32UTF8
      REQUEST_IANA_CHARSET=UTF-8
      SCRIPT_PREFIX=/pls
      HTTP_IF_MATCH=
      HTTP_CACHE_CONTROL=
      SOAP_BODY=
      HTTP_X_ORACLE_DEVICE_CLASS=
      HTTP_X_ORACLE_DEVICE_ORIENTATION=
      HTTP_X_ORACLE_DEVICE_MAXDOCSIZE=
      HTTP_X_ORACLE_DEVICE=
      HTTP_X_ORACLE_ORIG_ACCEPT=
      HTTP_X_ORACLE_ORIG_USER_AGENT=
      HTTP_X_ORACLE_USER_LOCALE=
      HTTP_X_ORACLE_USER_NAME=
      HTTP_X_ORACLE_USER_DISPLAYNAME=
      HTTP_X_ORACLE_USER_USERKIND=
      HTTP_X_ORACLE_USER_AUTHKIND=
      HTTP_X_ORACLE_USER_DEVICEID=
      HTTP_X_ORACLE_USER_LOCATION_ADDRESSLINE1=
      HTTP_X_ORACLE_USER_LOCATION_ADDRESSLINE2=
      HTTP_X_ORACLE_USER_LOCATION_ADDRESSLASTLINE=
      HTTP_X_ORACLE_USER_LOCATION_BLOCK=
      HTTP_X_ORACLE_USER_LOCATION_CITY=
      HTTP_X_ORACLE_USER_LOCATION_COMPANYNAME=
      HTTP_X_ORACLE_USER_LOCATION_COUNTY=
      HTTP_X_ORACLE_USER_LOCATION_STATE=
      HTTP_X_ORACLE_USER_LOCATION_POSTALCODE=
      HTTP_X_ORACLE_USER_LOCATION_POSTALCODEEXT=
      HTTP_X_ORACLE_USER_LOCATION_COUNTRY=
      HTTP_X_ORACLE_USER_LOCATION_TYPE=
      HTTP_X_ORACLE_USER_LOCATION_X=
      HTTP_X_ORACLE_USER_LOCATION_Y=
      HTTP_X_ORACLE_SERVICE_HOME_URL=
      HTTP_X_ORACLE_SERVICE_PARENT_URL=
      HTTP_X_ORACLE_HOME_URL=
      HTTP_X_ORACLE_MODULE_CALLBACK_URL=
      HTTP_X_ORACLE_MODULE_CALLBACK_LABEL=
      HTTP_X_ORACLE_CACHE_USER=
      HTTP_X_ORACLE_CACHE_SUBID=
      HTTP_X_ORACLE_CACHE_AUTH=
      HTTP_X_ORACLE_CACHE_DEVICE=
      HTTP_X_ORACLE_CACHE_LANG=
      HTTP_X_ORACLE_CACHE_ENCRYPT=
      HTTP_X_ORACLE_ASSERT_USER=There are no invalid objects in the FLOWS schema and the page sentry function I use for NTLM is also valid.
  There isn't a database connection issue since both builder and SQL Plus works.
  Here is my NTLM Page Sentry which is a slightly modified version of the GreenIT version
  CREATE OR REPLACE FUNCTION modNtlmPageSentry(pApexUser IN VARCHAR2 DEFAULT 'APEX_PUBLIC_USER')
  RETURN BOOLEAN
  IS
    vAuthenticatedUsername  VARCHAR2(512);
    vCurrentSessionId       NUMBER;
    l_cnt binary_integer :=0;
  BEGIN
    -- Get Authenticated User.
    vAuthenticatedUsername := UPPER(owa_util.get_cgi_env('REMOTE_USER'));
    vAuthenticatedUsername := substr(vAuthenticatedUsername,instr(vAuthenticatedUsername,'\')+1);
    if to_char(v('APP_ID')) = '127' -- WebWPLCS
    then
         apex_util.set_session_state('P18_USERNAME',vAuthenticatedUsername);
    elsif to_char(v('APP_ID')) = '124' --TMS
    then
    -- check to see if they are a listed TMS manager or overall admin
        select sum(cnt) into l_cnt
        from (
             select count(0) cnt
             from tms_managers
             where username=vAuthenticatedUsername
             union
             select count(0) cnt
             from tms_admin
             where username=vAuthenticatedUsername
             union
             select count(0) cnt
             from web_admin
             where username=vAuthenticatedUsername
        if l_cnt < 1
        then
       return FALSE;
        end if;
    end if;
    -- Check to ensure that we are running as the correct database user.
    IF USER ^= UPPER(pApexUser) THEN
      RETURN FALSE;
    END IF;
    IF vAuthenticatedUsername IS NULL THEN
      RETURN FALSE;
    END IF;
    -- Get SessionId.
    vCurrentSessionId := wwv_flow_custom_auth_std.get_session_id_from_cookie;
    -- Check Application Session Cookie.
    IF wwv_flow_custom_auth_std.is_session_valid THEN
      apex_application.g_instance := vCurrentSessionId;
      -- Check Authenticated User --> Username from wwv_flow_session$ for
      --   current Session.
      IF vAuthenticatedUsername = wwv_flow_custom_auth_std.get_username THEN
        wwv_flow_custom_auth.define_user_session(p_user => vAuthenticatedUsername,
          p_session_id => vCurrentSessionId);
        RETURN TRUE;
      ELSE
        -- Unset the Session Cookie and redirect back here to take other branch.
        wwv_flow_custom_auth_std.logout(p_this_flow => v('FLOW_ID'),
          p_next_flow_page_sess => v('FLOW_ID') || ':' || NVL(v('FLOW_PAGE_ID'), 0)
          || ':' || vCurrentSessionId);
        -- Tell Apex Engine to quit.
        apex_application.g_unrecoverable_error := TRUE;
        RETURN FALSE;
      END IF;
    ELSE
      -- Application Session Cookie not valid --> Define a new Apex Session.
      wwv_flow_custom_auth.define_user_session(p_user => vAuthenticatedUsername,
        p_session_id => wwv_flow_custom_auth.get_next_session_id);
      -- Tell Apex Engine to quit.
      apex_application.g_unrecoverable_error := TRUE;
      IF owa_util.get_cgi_env('REQUEST_METHOD') = 'GET'  THEN
        wwv_flow_custom_auth.remember_deep_link(p_url => 'f?' ||
          wwv_flow_utilities.url_decode2(owa_util.get_cgi_env('QUERY_STRING')));
      ELSE
        wwv_flow_custom_auth.remember_deep_link(p_url => 'f?p=' ||
          TO_CHAR(apex_application.g_flow_id) || ':' ||
          TO_CHAR(NVL(apex_application.g_flow_step_id, 0)) || ':' ||
          TO_CHAR(apex_application.g_instance));
      END IF;
      -- Register the Session in Apex Sessions Table, set Cookie, redirect back.
      wwv_flow_custom_auth_std.post_login(p_uname => vAuthenticatedUsername,
        p_session_id => nv('APP_SESSION'), p_flow_page => apex_application.g_flow_id
        || ':' || NVL(apex_application.g_flow_step_id, 0));
      RETURN FALSE;       
    END IF;   
  END modNtlmPageSentry;Does anyone have any ideas on where to look next?
  Regards, Tony
  <b>Update</b>
  For kicks, I added the page sentry function to the list in the <b>wwv_flow_epg_include_mod_local</b> function.
  I bounced both the HTTP Server and the database.
  None of these actions solved the problem.

  Joel -
  The alert log states that there is a 7445 error now from Apache
  host_id='ECYDBLCYORWQT01' host_addr='165.151.5.123' module='Apache.exe'
  pid='416'>
  <txt>Exception [type: ACCESS_VIOLATION, UNABLE_TO_READ] [ADDR:0x0] [PC:0x69A2AB3, _pfrinstr_BRNCCOND()+39]
  msg_id='1422874948' type='INCIDENT_ERROR' group='Access Violation'
  level='1' host_id='ECYDBLCYORWQT01' host_addr='165.151.5.123'
  prob_key='ORA 7445 [pfrinstr_BRNCCOND()+39]' upstream_comp='' downstream_comp=''
  ecid='' errid='12252' ORA-07445: exception encountered: core dump [pfrinstr_BRNCCOND()+39] [ACCESS_VIOLATION] [ADDR:0x0] [PC:0x69A2AB3] [UNABLE_TO_READ] []The trace file just states the same 7445 error:
  ORA-07445: exception encountered: core dump [pfrinstr_BRNCCOND()+39] [ACCESS_VIOLATION] [ADDR:0x0] [PC:0x69A2AB3] [UNABLE_TO_READ] []The incident trace file states that the current SQL was:
  ----- Current SQL Statement for this session (sql_id=bng4udk9mvtsh) -----
  declare function x return boolean is begin
  return mergedwplcs.modNtlmPageSentry; return false; end;
  begin
  wwv_flow.g_boolean := x; end;
  ----- PL/SQL Stack -----
  ----- PL/SQL Call Stack -----
    object      line  object
    handle    number  name
  2B6ACD34      1020  package body FLOWS_030100.WWV_FLOW_CUSTOM_AUTH_STD
  2B6ACD34       662  package body FLOWS_030100.WWV_FLOW_CUSTOM_AUTH_STD
  2B6BB44C        59  function MERGEDWPLCS.MODNTLMPAGESENTRY
  2B6BBD1C         2  anonymous block
  2B6BBD1C         4  anonymous block
  2B6BC674      1815  package body SYS.DBMS_SYS_SQL
  2B6BD29C       296  package body SYS.WWV_DBMS_SQL
  2B70B5D0      1352  package body FLOWS_030100.WWV_FLOW_SECURITY
  2B70B5D0      1158  package body FLOWS_030100.WWV_FLOW_SECURITY
  2B71BA2C      8847  package body FLOWS_030100.WWV_FLOW
  2B72FB04       255  procedure FLOWS_030100.F
  2B7E4F1C        31  anonymous blockWhich makes sense given that I was trying to log into the application. All of these functions and packages are valid.

• Outlook Negotiate/NTLM authentication credential prompt

  Hello everyone,
  I have been digging quite a while now for a solution to this but apparently there is not a lot of systems out there utilizing this or having problems with it. Here it comes:
  We have a pure (no migration or coex) Exchange 2013 CU7 environment in production with 3 x CAS/MBX Servers (3 sites connected via WAN VPN). Inside our network our outlook clients (2013 SP1+) authenticate via Kerberos (ASA/SPN) to the Exchange Servers and
  connect via MAPI over HTTP. Everything working fine!
  External is a different Story: We have a Application Request Routing (ARR) machine in our perimeter network that forwards external users to the Exchange Servers and for a reason that I didn't manage to find yet I can't get it to work so that domain joined clients
  (notebooks) that are outside the company's LAN would use their cached credentials to try to authenticate outlook against the Exchange Servers. Outlook always prompts the user for her/his password on start up and then connects fine. No problems after that -
  PF, OoO, OAB - everything is working. If the user restarts the outlook -> password prompt once again and fine after that. Saving the credentials works but is obviously not the way NTLM/Negotiate is supposed to work.
  So here is my progress on this:
  I verified my virtual directory settings. Here is how the Mapi virtual directory looks like:
  IISAuthenticationMethods            : {Negotiate}
  InternalUrl                                    : https://mail.domain.com/mapi
  InternalAuthenticationMethods    : {Negotiate}
  ExternalUrl                                   : https://mail.domain.com/mapi
  ExternalAuthenticationMethods   : {Negotiate}
  I've set everything to Negotiate because we don't have legacy Exchange Servers nor legacy mail clients in our network. I tried setting it to NTLM only which made the problem shift. Test clients connect to exchange and are able to view/receive mails but got
  the infinite credential prompt and weren't able to access PF, OoO and OAB. Setting it to NTLM and Negotiate produces the same result as Negoiate alone.
  Browsing https://autodiscover.domain.com/Autodiscover/Autodiscover.xml with IE (autodiscover URL set in intranet settings) gave the expected error code 600 without prompting for credentials. Even Firefox (network.negotiate-auth.trusted-ris set to domain.com)
  is utilizing cached windows credentials and is able to log on to autodiscover and OWA with windows authentication enabled.
  When a client has a valid Kerberos ticket cached (cmd -> klist) Outlook uses that ticket successfully even from outside the network but as soon as the ticket is gone (sign out and sign back in) Outlook prompts for user credentials again.
  "Show connection status" in Outlook and the HttpMapi log on the CAS both show that Negotiate has been used for the connection. But why the password prompt then?
  I read up on IIS ARR and it seems that it just passes through the authentication information when set to "anonymous authentication" which it is.
  Now how I understand the auth method Negoiate in Exchange 2013 is that Outlook and the Server try to handshake on the strongest auth mechanism available in the following order: Kerberos -> NTLM -> Password Promt (Basic/NTLM) but in my case this doesn't
  apply.
  Now I would apprechiate it very much if someone could educate me in how this is supposed to work and if there is a mistake in my configuration or my understanding of the authentication process correct it.
  A great day to everyone!
  Vasko

  I don't have a ton experiencing using something like ARR, but we should do some testing.  The first thing I would try is to route around the ARR in the DMZ and connect directly to Exchange from externally.  This SHOULD let us know where the problem
  lies.  If it succeeds (no auth prompts) then the issue is on the ARR and not Exchange.  If it fails, then the issue is with the ARR and that needs to be looked at a little more clearly.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

• Authenticator not being invoked - NTLM authentication against IIS 6.0 !!

  Hi Folks,
  I am trying to access Microsoft Reporting Service running on IIS 6.0 through a Web Proxy (a simple application running in an App Server) using the NTLM authentication. This is what i am doing
  Authenticator.setDefault(new ReportAuthenticator());
  HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection();.
  As i understand, the authentication is to magically work with the IIS Server requesting my web proxy for the credentials on connect whcih should involke the Authenticaor class.
  Howver this is not happening at the moment. The authenticator object never gets invoked and even then my web proxy is being able to chat to IIS. The Sun app server hosting my web proxy is somehow passing my windows credentials to IIS and since my account has sufficient previliges on IIS, i am able to get through the initial connection.
  When i debug the urlConnection object, i can see that the connection recognises that this is an NTLM authentication but is obviously not using the Authenticator credentials.
  Is the Authenticator object meant to be invoked automatically or do i need to set some header information in the urlConnection??
  Any help is greatly appreciated.
  P.S: I am using JDK 1.5, IIS 6.0, Sun App Server 9.0 (platform edition)
  best regards
  Dushy

  Hi,
  we had the same problem, but we got support
  from readme.txt
  Bug#: 6789020
  Agent type: All Agents
  Description: In CDSSO mode non enforced POST requests cannot be accessed
  Bug#: 6736820
  Agent type: IIS 6 Agent
  Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
  Both bugs should be fixed in this version:
  Sun Java System Web Agents 2.2-02 hotpatch2

• ClassNotFound error when loading applet from a NTLM authenticated  site

  Hi,
  I wrote a Java applet and put it into a JAR file and signed the JAR file. It works fine if the user doesn't need to be authenticated. However, when I place the same JAR to a site that uses NTLM (NT challenging) authentication. The applet failed to load and returns ClassNotFound exception. Does anyone know why?
  The following is the complete error message:
  java.io.IOException: Server returned HTTP response code: 401 for URL: http://unibox.MySite.com/fileupload/FileUpload.jar
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:697)
       at sun.plugin.net.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:369)
       at sun.net.www.protocol.http.HttpURLConnection.getHeaderFields(HttpURLConnection.java:1139)
       at sun.plugin.net.protocol.http.HttpURLConnection.checkCookieHeader(HttpURLConnection.java:330)
       at sun.plugin.net.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:367)
       at sun.plugin.net.protocol.http.HttpUtils.followRedirects(HttpUtils.java:39)
       at sun.plugin.cache.CachedJarLoader.download(CachedJarLoader.java:311)
       at sun.plugin.cache.CachedJarLoader.load(CachedJarLoader.java:131)
       at sun.plugin.cache.JarCache.get(JarCache.java:177)
       at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(CachedJarURLConnection.java:71)
       at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(CachedJarURLConnection.java:56)
       at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:498)
       at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:459)
       at sun.misc.URLClassPath$2.run(URLClassPath.java:255)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.misc.URLClassPath.getLoader(URLClassPath.java:244)
       at sun.misc.URLClassPath.getLoader(URLClassPath.java:221)
       at sun.misc.URLClassPath.getResource(URLClassPath.java:134)
       at java.net.URLClassLoader$1.run(URLClassLoader.java:190)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(URLClassLoader.java:186)
       at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:132)
       at sun.plugin.security.PluginClassLoader.findClass(PluginClassLoader.java:189)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
       at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:112)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:262)
       at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:473)
       at sun.applet.AppletPanel.createApplet(AppletPanel.java:548)
       at sun.plugin.AppletViewer.createApplet(AppletViewer.java:1621)
       at sun.applet.AppletPanel.runLoader(AppletPanel.java:477)
       at sun.applet.AppletPanel.run(AppletPanel.java:290)
       at java.lang.Thread.run(Thread.java:536)
  load: class FileUpload.class not found.
  java.lang.ClassNotFoundException: FileUpload.class
       at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:151)
       at sun.plugin.security.PluginClassLoader.findClass(PluginClassLoader.java:189)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
       at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:112)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:262)
       at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:478)
       at sun.applet.AppletPanel.createApplet(AppletPanel.java:548)
       at sun.plugin.AppletViewer.createApplet(AppletViewer.java:1621)
       at sun.applet.AppletPanel.runLoader(AppletPanel.java:477)
       at sun.applet.AppletPanel.run(AppletPanel.java:290)
       at java.lang.Thread.run(Thread.java:536)
  Caused by: java.io.IOException: open HTTP connection failed.
       at sun.applet.AppletClassLoader.getBytes(AppletClassLoader.java:224)
       at sun.applet.AppletClassLoader.access$100(AppletClassLoader.java:40)
       at sun.applet.AppletClassLoader$1.run(AppletClassLoader.java:141)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:138)
       ... 10 more

  It appears that the latest jvm plugins use java to get the archive files instead of using the browser to download the archive files.
  In addition sun does not support NTLM authentication, because of this the latest jvms are unable to download the jar file containing the applet.
  I have been working on finding a way to replace suns http Handler, but have had no luck with setting the java.protocol.handler.pkgs for the plugin and having it retain the setting.
  I have achieved partial results using the appletviewer with -J-Djava.protocol.handler=com.nogoop
  you might try taking a look at http://www.nogoop.com

• FDM 11.1.1.3 Now NTLM Authentication Disabled

  Hi Everyone,
  I've just upgraded from 11.1.1.2 to 11.1.1.3. Now when I go in to the Load Balance Manager, NTLM authentication is Disabled.
  I am prompted when I try to edit that the provider type must be configured directly in Shared Services. I have an authentication type of NTLM that all other products are using.
  Does anyone know how to Enable NTLM for FDM?
  Or a work around setting up Shared services with FDM. I cannot see any FDM references in SS
  Thanks
  G

  Hi,
  Thanks for your quick reply. I have done all the upgrades and configuration you mention. All successful.
  What authentication method should be in SS and where are the references to FDM? I have NTLM & Native (OpenLDAP)
  Surely I should I see a reference to FDM in the Application groups and when I provision users. (I don't currently)
  Thanks
  G

• Invoke NTLM Authentication Based WebService from BPEL

  Hi All,
  I am working with SOA Suite 11.1.1.6 version deployed on Weblogic Server (Linux Based OP).
  I have a requirement where i need to invoke a webservice which exposes a NTLM Based Authentication. Since this particular webservice doesn't even get loaded if we dont pass the credentials. For example :- If i hit the WSDL URL on browser, it first ask for the credentials and on success , it loads the WSDL File.
  First i have tried using this WS using SOAP UI and were able to invoke it successfully , because SOAP UI can handle the NTLM Authentication Properly. And it gives us the wizard to put the credentials when we load the WSDL in SOAP UI.
  But the problem comes when i use that WS using our SOA Composite. The WSDL Doesn't get loaded only , since it requires the credentials first. I am not sure how should i go ahead and invoke this. I have checked lot of blogs but none of them were useful for me.
  Did anybody face this issue/ task to invoke a WS which doesn't get loaded without passing the credentials and also to invoke it through BPEL composites deployed on the weblogic server (based on Linux OP).
  Please suggest!!!
  Regards,
  Shah

  Hi,
  I am in a similar situation.
  I am able to successfully invoke the webservice via soapUI when I pass the username, password and the domain.
  If I do not pass the domain name in the SOAPUI or even in SOA, I get HTTP 401, Unauthorized error. 
  However, I am able to set only the
  oracle.webservices.auth.username a
  oracle.webservices.auth.password properties when I configure it in SOA 11g.
  I tried passing the domain name in the oracle.webservices.auth.username property as domainname\username. But no luck
  The composite is deployed on a linux server. Please suggest/advice any pointers to resolve this NTLM authentication issue.

• NTLM Authentication in the Outlook Anywhere

  I use Exchange Server 2007 sp1 RollUp 6 installed on Windows Server 2008. I need to use Outlook Anywhere from non-domain computers. I test Outlook Anywhere with Basic and NTLM Authentication and all works fine. But when I use NTLM authentucation, Outlook promt user credential every time when it start, even "remember password" was checked. The login and password are remembered in the network password of user, but Outlook prompt password again and again, when it starts. Exchange published by 443 port directly (without any listeners)!
  When I connect by VPN, and use TCP/IP connection to the server, Outlook remeber password withoun any problems, and did not ask password again.
  get-OutlookAnywhere:
  ServerName                 : SRVEXCH2
  SSLOffloading              : False
  ExternalHostname           : mail.my_domain.ru
  ClientAuthenticationMethod : Ntlm
  IISAuthenticationMethods   : {Ntlm}
  MetabasePath               : IIS://srvexch2.net.local/W3SVC/1/ROOT/Rpc
  Path                       : C:\Windows\System32\RpcProxy
  Server                     : SRVEXCH2
  AdminDisplayName           :
  ExchangeVersion            : 0.1 (8.0.535.0)
  Name                       : srvexch2
  DistinguishedName          : CN=srvexch2,CN=HTTP,CN=Protocols,CN=SRVEXCH2,CN=Servers,CN=Exchange Administrative Group (
                               FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=S
                               ervices,CN=Configuration,DC=net,DC=local
  Identity                   : SRVEXCH2\srvexch2
  Guid                       : 2c24f11b-852c-4948-b236-3f37d071d500
  ObjectCategory             : net.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
  ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
  WhenChanged                : 18.02.2009 14:17:55
  WhenCreated                : 17.02.2009 14:53:36
  OriginatingServer          : dc1.net.local
  IsValid                    : True
  I have tried this cases, but they have not helped for this issue:
  1) Disable kernel mode authentication with this command: %systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false, I  also have unchecked Kernel mode authentication in the properties of Windows Authentication for Default Web site, \Rpc and \Autodiscovery virtual directories.
  2) Modify this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa lmcompatibilitylevel=3 and 2.
  3) Set NTLM instead of Kerberos on the security tab in the properties of Outlook.
  4) Install domain controller and global catalog roles on the Exchange Server.
  Somebody have any solution for this issue? May be Outlook Anywhere and NTLM do not work at all?

  Have you also seen this:
  You must provide Windows account credentials when you connect to Exchange Server 2003 by using the Outlook 2003 RPC over HTTP feature
  http://support.microsoft.com/kb/820281
  1.
  Click
  Start,
  click Run,
  type regedit in the Open
  box, and then press ENTER.
  2.
  Locate
  and then click the following registry subkey:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
  3.
  In
  the right pane, double-click lmcompatibilitylevel.
  4.
  In
  the Value data
  box, type a value of 2 or 3 that is appropriate for your environment, and
  then click OK.
  5.
  Quit
  Registry Editor.
  6.
  Restart
  your computer.
  LmCompatibilityLevel
  settings
  The
  LmCompatibilityLevel registry entry can be configured with the following
  values:
  LmCompatibilityLevel
  value of 0:
  Send LAN Manager (LM) response and NTLM response; never use NTLM version 2
  (NTLMv2) session security. Clients use LM and NTLM authentication, and
  never use NTLMv2 session security; domain controllers accept LM, NTLM, and
  NTLMv2 authentication.
  LmCompatibilityLevel
  value of 1:
  Use NTLMv2 session security, if negotiated. Clients use LM and NTLM
  authentication, and use NTLMv2 session security if the server supports it;
  domain controllers accept LM, NTLM, and NTLMv2 authentication.
  LmCompatibilityLevel
  value of 2:
  Send NTLM response only. Clients use only NTLM authentication, and use NTLMv2
  session security if the server supports it; domain controllers accept LM,
  NTLM, and NTLMv2 authentication.
  LmCompatibilityLevel
  value of 3:
  Send NTLMv2 response only. Clients use NTLMv2 authentication, and use NTLMv2
  session security if the server supports it; domain controllers accept LM,
  NTLM, and NTLMv2 authentication.
  LmCompatibilityLevel
  value of 4:
  (Server Only) - Domain controllers refuse LM responses. Clients use NTLM
  authentication, and use NTLMv2 session security if the server supports it;
  domain controllers refuse LM authentication, and accept NTLM and NTLMv2
  authentication.
  LmCompatibilityLevel
  value of 5:
  (Server Only) - Domain controllers refuse LM and NTLM responses, and accept
  only NTLMv2 responses. Clients use NTLMv2 authentication, use NTLMv2
  session security if the server supports it; domain controllers refuse NTLM
  and LM authentication, and accept only NTLMv2 authentication.
  Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator

• WLS 10.3.3 - Web service - NTLM authentication

  Hi,
  We have generated web service proxy based on a wsld file for a .Net web service secured with NTLM authentication.
  Running the code that connects to the web service from a java class main method works fine, but when running the same code from a web application deployed on weblogic server (we have tried both integrated and standalone) we get the following error: com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 401: Unauthorized.
  Is there something that we should set in weblogic?
  Regards,
  Delia

  Delia,
  We had exactly the same issue and it took ages to resolve! Oracle didn't have a solution so I knuckled down and eventually worked out a solution...
  When running your JAR under WLS you may have noticed that the exception looks like this:
  java.io.FileNotFoundException: Response: '401: Unauthorized' for url: 'http://+your.domain.here+/default.aspx'
  at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:474)
  Notice that it is not using the java.net.HttpURLConnection as you might have expected (and your Java code explicitly imports!), rather it employs weblogic.net.http.HttpURLConnection and there lies the rub.
  As it turns out, it is easy to have your code force the use of the handler you desire.
  Instead of:
  HttpURLConnection http = (HttpURLConnection) new URL(+yourURL+).openConnection();
  Use:
  URL url = new URL(null, yourURL, new sun.net.www.protocol.http.Handler());
  HttpURLConnection http = (HttpURLConnection) url.openConnection();
  Regards,
  Jerome

• Deep Linking and NTLM Authentication

  I have an app that uses NTLM Authentication. When I try to pass a parameter from a link in an email, the deep link page opens but the parameter doesn't get set. When i change the Authentication to 'Application Express', the parameter gets set. Is there a work-around for this?

  Scott,
  Thanks for your reply.
  You can see the app here;
  http://apex.oracle.com/pls/otn/f?p=48061
  Username = dev
  PSW = dev
  I want to bring up a specific employee from an email link like this;
  http://apex.oracle.com/pls/otn/f?p=48061:4:::::P4_EMPNO:7839
  The deep link and parameters work fine when I use 'Application Express' authentication.
  When I use NTLM authentication, P4_EMPNO never gets set.
  To see the code go into;
  workspace = danmar
  Username = dev
  PSW = dev
  Thanks for your help.
  Bob