NTLM authentication

Overview

The NTLM protocol is a challenge-response mechanism for authentication users in Windows operating systems.
This tutorial explains how to use a MobileFirst adapter when connecting to a back end or resource that is protected by NTLM protocol for user authentication.

Topics:

Back-end connection settings (connectAs="endUser/server")
Using NTLM authentication with ServerIdentity
Using NTLM authentication with UserIdentity

Back-end connection settings (`connectAs="endUser/server"`)

For MobileFirst Server to handle sessions when connecting to a back-end system, you can use either of the following 2 approaches:

connectAS="server":
All sessions use the same connection context to the back end.
This is the MobileFirst Server default behavior.
connectAS="endUser":
Each session is authenticated separately and has a unique connection context against the back end.

For a procedure to be connected as "end user", you must declare it with a connectAs="endUser" attribute in the adapter XML file:

<procedure name="MyProcedure" connectAs="endUser"/>

For more information about the connectAs attribute, read the blog post about Configuring HTTP adapters for stateless/stateful back-end connectivity and user identity propagation.

Using NTLM authentication with `ServerIdentity`

When you use a procedure to connect to a back-end server that uses NTLM protocol without specifying the connectAs attribute, use the <serveridentity> element of the adapter XML file as child element of the <authentication> element. Also add the <ntlm workstation> child element, so that MobileFirst Server knows which authentication method to use when connecting to the back end.

Make sure to pass the server and user names to the back-end server in the following pattern: `server-name/user-name`.

<connectivity>
    <connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
        <protocol>http</protocol>
        <domain>your-domain-here</domain>
        <port>80</port>
        <connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
        <socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
        <authentication>
            <ntlm workstation="ServerName"/>
            <serverIdentity>
                <username>your-server-name/your-username-here</username>
                <password>your-password-here</password>
            </serverIdentity>
        </authentication>
        <maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>
    </connectionPolicy>
</connectivity>

Note: When the NTLM protocol is used, the user name is always specified in the {server-name/user-name} format.

Using NTLM authentication with `UserIdentity`

Configure MobileFirst Server authentication

Create a security test to protect the procedure:

<customSecurityTest name="NTLMSecurityTest">
    <test isInternalUserID="true" realm="NTLMAuthRealm"/>
</customSecurityTest>

Use BasicAuthenticator, AdapterBasedAuthenticator, or any other authenticator that handles userIdentity, as the class for the realm used by the security test:

<realm name="NTLMAuthRealm" loginModule="AuthLoginModule">
    <className>com.worklight.integration.auth.AdapterAuthenticator</className>
    <parameter name="login-function" value="MyAdapter.onAuthRequired"/>
    <parameter name="logout-function" value="MyAdapter.onLogout"/>
</realm>

Add some login module to create and store user identities to be used by this realm:

<loginModule name="AuthLoginModule">
    <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>

Add the <authentication> element and its <ntlm workstation> child element to the adapter XML file, so that MobileFirst Server knows which authentication method to use when connecting to the back end:

<connectivity>
    <connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
        <protocol>http</protocol>
        <domain>Put.Your.Domain.Here</domain>
        <port>80</port>
        <connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
        <socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
        <authentication>
            <ntlm workstation="wl-ntlm"/>
        </authentication>
        <maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>
    </connectionPolicy>
</connectivity>

Assign this security test to the procedure that is used to connect to the back end protected by NTLM protocol, and add connectAs="endUser" to the procedure declaration in the adapter XML file:
```
<procedure name="getNTLMData" securityTest="NTLMSecurityTest" connectAs="endUser"/>
```

Adapter JavaScript code

Create a UserIdentity that contains a user identifier and credentials properties. Format the userId as servername/username:

function submitAuthentication(username, password){
  var userIdentity = {
    userId: "MyServerName\/"+ username,
    credentials: password
  };
  WL.Server.setActiveUser("NTLMAuthRealm", null);
  WL.Server.setActiveUser("NTLMAuthRealm", userIdentity);
  ...
}

Create an http request to the NTLM protected back end:

function getSecretData(){
  var input = {
    method : 'get',
    returnedContentType : 'html',
    path : "index.html"
  };
  return WL.Server.invokeHttp(input);
}

▲

Inclusive terminology note: The Mobile First Platform team is making changes to support the IBM® initiative to replace racially biased and other discriminatory language in our code and content with more inclusive language. While IBM values the use of inclusive language, terms that are outside of IBM's direct influence are sometimes required for the sake of maintaining user understanding. As other industry leaders join IBM in embracing the use of inclusive language, IBM will continue to update the documentation to reflect those changes.

Last modified on November 09, 2016