SOAP Client - NTLM authentication

Question

Question

Dmitrii Baranov · Dec 1, 2024

#Authentication #SOAP #InterSystems IRIS for Health

I'm trying to call a SOAP web service which is implemented in .NET Classic and requires NTLM authentication. The client class was generated by %SOAP.WSDL.Reader. The problem is that neither NTLM authentication works nor can I handle the exception since VSCode debugger says that all meaningful fields and properties are empty (the same request works fine in Postman):


ClassMethod Test()
{
    #Dim client as My.Client
    Set client = ##class(My.Client).%New()
    Try
    {
        Set client.SSLConfiguration = "SSL"
        Set client.Location = "https://server/service.asmx"
        Set client.HttpInitiateAuthentication = "NTLM"
        Set client.HttpUsername = "domain\username"
        Set client.HttpPassword = "password"

        ...


        Set result = client.SomeMethod(inputParams, .outputParams)
        Write result, !
    }
    Catch ex
    {

        Set displayString = ex.DisplayString() // contains ''<ZSOAP> 64 InvokeClient+251^%SOAP.WebClient.1"
        Set fault = client.SoapFault // empty
        Set statusCode = client.HttpResponse.StatusCode // empty
        Set stream = client.HttpResponse.Data // empty
        Write stream, !
    }
}

Do you have any suggestions what I'm doing wrong?

Product version: IRIS 2024.2

Discussion (4)2

Log in or sign up to continue

Enrico Parisi · Dec 1, 2024

To debug your issue I suggest to enable SOAP logging setting this two global node:

Set ^ISCSOAP("LogFile")="/path/to/yourlog/filename.log"
Set ^ISCSOAP("Log")="ios"

Values for ^ISCSOAP("Log") are:
"i" — Log inbound messages
"o" — Log outbound messages
"s" — Log security information.

Then call your SOAP service and check the log file for hints on the actual issue.

When finished debugging remember to turn it off with Set ^ISCSOAP("Log")="" or Kill ^ISCSOAP("Log")

In error handling code, when using SOAP and a <ZSOAP> error in triggered, the actual error status is contained in %objlasterror variable, so:

Set displayString = ex.DisplayString()
If displayString [ "<ZSOAP>" {
    Set displayString=$system.Status.GetErrorText(%objlasterror)
}

It's all documented, I cannot post documentation links because the documentation site it's not working for me at the moment.

1 0

score 0 · Answer 1 · 2024-12-01T09:09:16-05:00

Great, thanks a lot, it works.

The real error messages are "ERROR #6162: Unable to create HTTP Authorization header for NTLM scheme." and "ERROR #6162: Unable to create HTTP Authorization header for Negotiate scheme." for both NTLM and Negotiate schemes respectively.

Does it mean that IRIS is unable to deal with these authentication schemes? The documentation says that NTLM is supported.

score 1 · Answer 2 · 2024-12-01T09:52:09-05:00

What platform (Operating System) are you using for IRIS?

I think NTLM authentication is not available in IRIS for Linux.

score 0 · Answer 3 · 2024-12-01T10:07:56-05:00

Dmitrii Baranov · Dec 1, 2024

That's probably the point. You are right, it is a containerized instance. Thanks again

0 0