Question
· Sep 15, 2020

HTTP request to get around Kerbos/NTLM authentication error

Hi:

I have the following method in a buisness operation that works on localhost but not on our server . I think it's how the firewall is set up but i was wondering if there is a known way around this. It can't correlate XML as it returns a "The browser did not send any authentication information" error. I tried adding in username and password to http request to no avail. We could do a c# proxy on a server but i'm wondering if there is a known way to fix this error within intersystems. As a developer we don't have too much control over our Intersystems TIE server. 

Method GetGPStatus(pRequest As Penn.EDT.Messages.GetGPStatusRequest, Output pResponse As Penn.EDT.Messages.ODSGPStatus) As %Status
{
Set pResponse = ##class(Penn.EDT.Messages.ODSGPStatus).%New()
Set rdr = ##class(%XML.Reader).%New()
    set httprequest = ##class(%Net.HttpRequest).%New()
    set httprequest.SSLConfiguration = "test"
    set httprequest.Https = 1
    set httprequest.SSLCheckServerIdentity=0
    
    Set tSC = rdr.OpenURL("https://directory.spineservices.nhs.uk/ORD/2-0-0/organisations/"_pRequest.GPCode_"?_format=xml",,httprequest)
 if $$$ISERR(tSC) quit tSC
    do rdr.Correlate("Status","Penn.EDT.Messages.ODSGPStatus") If 'rdr.Next(.gpxml,.tSC) || $$$ISERR(tSC) { If '$$$ISERR(tSC) Set tSC = $$$ERROR($$$EnsErrGeneral,"Failed to correlate GPStatus")
Quit tSC
}
set pResponse.Status=gpxml.Status
    quit tSC
}
 

Discussion (1)1
Log in or sign up to continue

Hello Mark,

Does the CSp.log show an authorization header with something like this?

Authorization: NTLM TlRMTVNTU... 

When NTLM is in place the client sends the authorization header prior to the body post. However, the CSP gateway is not expecting this, hence the error.

This may be resolved if you are on v2018+ as described here,
https://docs.intersystems.com/latest/csp/docbook/Doc.View.cls?KEY=GCRN_n...

Otherwise, the way this has generally been resolved in the past is to modify the NTLM settings.

One way this has been done is to change the NTLM authentication to "Authentication delegated - may authenticate directly”.

Regards,

Rupert