Wednesday, September 16, 2015

How to test the NTLM mediator in Wso2 ESB


In the iniatial setup for test the NTLM mediator in esb as follows.

1. Enable the NTLM in host server


To test the NTLM mediator's behavior we need a service hosted in the server with NTLM enabled.In windows IIS, we can enable the NTLM easily as follows.You just need to install the IIS features and with windows authentication.


  


After installing the IIS features , need to enable the windows authentication in IIS as well.





2. Create the WCF service and deploy it in IIS.




To support the NTLM we need to add the following configuration in web.config





3. After that deploy the service in IIS.







4. Browse the service via the browser.





Click on the wsdl url.If the credentials window popup, that will indicate the NTLM is enabled in IIS 

correctly.





5. After that we need to configure the ESB with NTLM mediator.


For a clear start, please follow the steps below,

1. Unzip a fresh ESB 4.8.1 pack (ESB_HOME).
2. Unzip the org.wso2.carbon.mediator.ntlm.zip file(<NTLM_MEDIATOR_HOME>).
3. Copy the <NTLM_MEDIATOR_HOME>/target/org.wso2.carbon.mediator.ntlm-1.0.0.jar to <ESB_HOME>/repository/components/dropins folder.
4. Start the ESB server.
5. Edit the NTLMProxy.xml proxy adding a host, credentials, action... etc and deploy it in the ESB.




6. Now,  try invoking the service with the target message from the front end. You can get the clear idea about the NTLM handshaking by analyzing the TCPMon logs.


HTTP/1.1 401 Unauthorized

Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Thu, 10 Sep 2015 08:21:59 GMT
Content-Length: 6317

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 

<html xmlns="http://www.w3.org/1999/xhtml"> 
<head
<title>IIS 7.5 Detailed Error - 401.2 - Unauthorized</title> 
<style type="text/css"> 
<!-- 
body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;background:#CBE1EF;} 
code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} 
.config_source code{font-size:.8em;color:#000000;} 
pre{margin:0;font-size:1.4em;word-wrap:break-word;} 
ul,ol{margin:10px 0 10px 40px;} 
ul.first,ol.first{margin-top:5px;} 
fieldset{padding:0 15px 10px 15px;} 
.summary-container fieldset{padding-bottom:5px;margin-top:4px;} 
legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} 
legend{color:#333333;padding:4px 15px 4px 10px;margin:4px 0 8px -12px;_margin-top:0px; 
 border-top:1px solid #EDEDED;border-left:1px solid #EDEDED;border-right:1px solid #969696; 
 border-bottom:1px solid #969696;background:#E7ECF0;font-weight:bold;font-size:1em;} 
a:link,a:visited{color:#007EFF;font-weight:bold;} 
a:hover{text-decoration:none;} 
h1{font-size:2.4em;margin:0;color:#FFF;} 
h2{font-size:1.7em;margin:0;color:#CC0000;} 
h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} 
h4{font-size:1.2em;margin:10px 0 5px 0; 
}#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; 
 color:#FFF;background-color:#5C87B2; 
}#content{margin:0 0 0 2%;position:relative;} 
.summary-container,.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} 
.config_source{background:#fff5c4;} 
.content-container p{margin:0 0 10px 0; 
}#details-left{width:35%;float:left;margin-right:2%; 
}#details-right{width:63%;float:left;overflow:hidden; 
}#server_version{width:96%;_height:1px;min-height:1px;margin:0 0 5px 0;padding:11px 2% 8px 2%;color:#FFFFFF; 
 background-color:#5A7FA5;border-bottom:1px solid #C1CFDD;border-top:1px solid #4A6C8E;font-weight:normal; 
 font-size:1em;color:#FFF;text-align:right; 
}#server_version p{margin:5px 0;} 
table{margin:4px 0 4px 0;width:100%;border:none;} 
td,th{vertical-align:top;padding:3px 0;text-align:left;font-weight:bold;border:none;} 
th{width:30%;text-align:right;padding-right:2%;font-weight:normal;} 
thead th{background-color:#ebebeb;width:25%; 
}#details-right th{width:20%;} 
table tr.alt td,table tr.alt th{background-color:#ebebeb;} 
.highlight-code{color:#CC0000;font-weight:bold;font-style:italic;} 
.clear{clear:both;} 
.preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;} 
--> 
</style

</head

<body
<div id="header"><h1>Server Error in Application "WCF2"</h1></div
<div id="server_version"><p>Internet Information Services 7.5</p></div
<div id="content"> 
<div class="content-container"> 
 <fieldset><legend>Error Summary</legend> 
  <h2>HTTP Error 401.2 - Unauthorized</h2> 
  <h3>You are not authorized to view this page due to invalid authentication headers.</h3> 
 </fieldset
</div
<div class="content-container"> 
 <fieldset><legend>Detailed Error Information</legend> 
  <div id="details-left"> 
   <table border="0" cellpadding="0" cellspacing="0"> 
    <tr class="alt"><th>Module</th><td>IIS Web Core</td></tr> 
    <tr><th>Notification</th><td>AuthenticateRequest</td></tr> 
    <tr class="alt"><th>Handler</th><td>svc-Integrated-4.0</td></tr
    <tr><th>Error Code</th><td>0x80070005</td></tr
     
   </table
  </div
  <div id="details-right"> 
   <table border="0" cellpadding="0" cellspacing="0"> 
    <tr class="alt"><th>Requested URL</th><td>http://172.22.217.130:6000/CustomService.svc/test</td></tr> 
    <tr><th>Physical Path</th><td>C:\Users\rmperera\Desktop\wcf\Wcf2\Wcf2\CustomService.svc\test</td></tr
    <tr class="alt"><th>Logon Method</th><td>Not yet determined</td></tr
    <tr><th>Logon User</th><td>Not yet determined</td></tr
     
   </table
   <div class="clear"></div
  </div
 </fieldset
</div
<div class="content-container"> 
 <fieldset><legend>Most likely causes:</legend> 
  <ul> <li>No authentication protocol (including anonymous) is selected in IIS.</li> <li>Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.</li> <li>Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.</li> <li>The Web server is not configured for anonymous access and a required authorization header was not received.</li> <li>The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access.</li> </ul
 </fieldset
</div
<div class="content-container"> 
 <fieldset><legend>Things you can try:</legend> 
  <ul> <li>Verify the authentication setting for the resource and then try requesting the resource using that authentication method.</li> <li>Verify that the client browser supports Integrated authentication.</li> <li>Verify that the request is not going through a proxy when Integrated authentication is used.</li> <li>Verify that the user is not explicitly denied access in the "configuration/system.webServer/authorization" configuration section.</li> <li>Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click <a href="http://go.microsoft.com/fwlink/?LinkID=66439">here</a>. </li> </ul
 </fieldset
</div


<div class="content-container"> 

 <fieldset><legend>Links and More Information</legend> 
  This error occurs when the WWW-Authenticate header sent to the Web server is not supported by the server configuration. Check the authentication method for the resource, and verify which authentication method the client used. The error occurs when the authentication methods are different. To determine which type of authentication the client is using, check the authentication settings for the client. 
  <p><a href="http://go.microsoft.com/fwlink/?LinkID=62293&amp;IIS70Error=401,2,0x80070005,7601">View more information &raquo;</a></p> 
  <p>Microsoft Knowledge Base Articles:</p> 
 <ul><li>907273</li><li>253667</li></ul> 

 </fieldset

</div
</div
</body
</html
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: NTLM TlRMTVNTUAACAAAABwAHADgAAAAGAoECHRyBM8ijUIMAAAAAAAAAAKIAogA/AAAABgGxHQAAAA9WSVJUVVNBAgAOAFYASQBSAFQAVQBTAEEAAQAWAEMATQBEAFIATQBQAEUAUgBFAFIAQQAEABYAVgBpAHIAdAB1AHMAYQAuAGMAbwBtAAMALgBDAE0ARABSAE0AUABFAFIARQBSAEEALgBWAGkAcgB0AHUAcwBhAC4AYwBvAG0ABQAWAFYAaQByAHQAdQBzAGEALgBjAG8AbQAHAAgAm2Jmw6Hr0AEAAAAA
Date: Thu, 10 Sep 2015 08:21:59 GMT
Content-Length: 341

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">

<HTML><HEAD><TITLE>Not Authorized</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Authorized</h2>
<hr><p>HTTP Error 401. The requested resource requires user authentication.</p>
</BODY></HTML>
HTTP/1.1 200 OK
Content-Length: 210
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Thu, 10 Sep 2015 08:21:59 GMT


<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><getMessageResponse xmlns="http://tempuri.org/"><getMessageResult>Hello wso2</getMessageResult></getMessageResponse></s:Body></s:Envelope>

4 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. where is org.wso2.carbon.mediator.ntlm.zip?

    ReplyDelete
  3. Could you please make org.wso2.carbon.mediator.ntlm.zip available?
    Thanks.

    ReplyDelete
  4. whole spec on NTLM can found from here
    http://www.dushantech.com/2015/05/ntlm-authentication-wso2-esb-developer.html

    ReplyDelete