Mutual Authentication when using Web Services
Hi,
We have encountered a problem when using the RAM web services due to the requirement that the web server, IIS, require an NTLM authentication before passing on requests to the RAM application. This is fine for an end user accessing RAM, as when they are presented with the NTLM login dialog they are able to enter their credentials. They are then taken to the RAM login page, where they can then re-enter their credentials to login to RAM. However, when the RAM web services are used by either Eclipse or the RAM Client libraries the request fails. It seems that it fails because the client is only expecting to have to pass credentials once. Currently we are overcoming this by connecting directly to the Web Container of the AppServer. However, we need to use the IIS server.
What has been proposed is to setup another web site within IIS that does not impose the NTLM login. However, the standards state that if an NTLM login is not imposed then the client and server must authenticate with each other. Do you know if Eclipse and, more importantly, the RAM Client can use mutual authentication?
Cheers.
Des
We have encountered a problem when using the RAM web services due to the requirement that the web server, IIS, require an NTLM authentication before passing on requests to the RAM application. This is fine for an end user accessing RAM, as when they are presented with the NTLM login dialog they are able to enter their credentials. They are then taken to the RAM login page, where they can then re-enter their credentials to login to RAM. However, when the RAM web services are used by either Eclipse or the RAM Client libraries the request fails. It seems that it fails because the client is only expecting to have to pass credentials once. Currently we are overcoming this by connecting directly to the Web Container of the AppServer. However, we need to use the IIS server.
What has been proposed is to setup another web site within IIS that does not impose the NTLM login. However, the standards state that if an NTLM login is not imposed then the client and server must authenticate with each other. Do you know if Eclipse and, more importantly, the RAM Client can use mutual authentication?
Cheers.
Des
3 answers
That makes sense .... as NTLM is a connection based authentication, and the Rich Client is using Basic Auth (per request authentication), I am not sure how well those work together.
The Rich Client is using HTTP Client, but we do not use/tested a NTCredentials path http://hc.apache.org/httpclient-3.x/authentication.html#NTLM.
I opened an enhancement request: https://jazz.net/jazz02/resource/itemName/com.ibm.team.workitem.WorkItem/41100 for tracking purposes. If you need that support, you will need advocate for it to get prioritized in one of our future releases.
The Rich Client is using HTTP Client, but we do not use/tested a NTCredentials path http://hc.apache.org/httpclient-3.x/authentication.html#NTLM.
I opened an enhancement request: https://jazz.net/jazz02/resource/itemName/com.ibm.team.workitem.WorkItem/41100 for tracking purposes. If you need that support, you will need advocate for it to get prioritized in one of our future releases.