NTLM with Node JS

Mchoeti · 2021-08-05T17:27:59+00:00

There was an error rendering this rich post.

Hi all !

I am trying to set up my own NodeJS application to do some changes on different documents. As example rename all obcets from A to B with the doc id 12 , 13 and 14..

At the moment i am able to do some REST Calls they are fine and all is good. But the problem is i have to add the NTLM authentication in the Header. Which works good in Postman and which works also in Insomnis. But i am having a little problem dooing this in Node JS. Authentication should work with this call.

var axios = require('axios');
var FormData = require('form-data');
var data = new FormData();
data.append('username', 'myUSerName');
data.append('domain', 'myDomain');
data.append('password', 'myPassword');


var config = {
    method: 'post',
    url: 'https://my.server.at/OTCS/cs.exe/api/v1/auth',
    headers: {
        ...data.getHeaders()
    },
    data: data
};


axios(config)
    .then(function (response) {
        console.log(JSON.stringify(response.data));
    })
    .catch(function (error) {
        console.log(error);
    });

But unfortunately i am getting an 403

statusMessage: 'Forbidden',

When i am dooing the call in Postman or in Insomnia it only works when i add the NTLM authorisation Type in the header. As example

With NTLM Auth & OTCSticket ==> 200

Only using OTCSticket ==> 401

Do you have any ideas or what do i miss ? I know in my NodeJS is nothing with NTLM which tellls me that this could not work. But on the other hand should a OTCSticket not be enough?

Cheers and hope to hear from you soon.

Mchoeti

Ps: I tested this on CS 16.2.11 and 20.3 . What do i miss ?

Find more posts tagged with

Content Server

Comments

Appu Nair

Livelink Rest api which is the new CS Rest api will only do what you want it to do when it sees some kind of credential in the call . The code strips out any other things like say browser cookies . For convenience and back ward compatibility it supports the basic authentication scheme at the web server level . I am not familiar with NTLM aspects but thought I would share why IWA won’t work with REST . The rest api will work fine if it gets a otdsticket or OTcsticket or a userid/password in the request header everything else it will balk . BTOA functions like the basic auth are also supported

While I have no real concrete proof to offer as soon as the livelink rest api sees a otdsticket miraculously it will go through . I had to write simple java rest calls in an app I support and found that it did not like otcsticket ( postman trials was still working) since I needed to move on I didn’t check the environment and coded it with otdsticket

Ferdinand Prantl

I recommend you disabling IWA on the CS CGI URL (letting anonymous access to it) and configuring the Windows SSO on OTDS. It will ensure the same functionality to browser users and your REST clients will not be limited to the MS platform or unofficial connectors.

Anonymous access does not mean unauthenticated access. It means that without an authentication token, a user will be redirected to OTDS and a REST client will receive the 401 error.

Alternatively, you could configure one more CGI URL for the REST access, for example:

/otcs/llisapi.dll - web page users, IWA
/rest/llisapi.dll - REST clients, anonymous access

Details

The recommended CS installation sets up the CGI URL for anonymous access. The CGI URL is used not only to access the web pages in the browser, but also as a REST endpoint. If you enable IWA on it, you will not be able to connect to it from a non-Microsoft environment easily. You could read articles like Windows Integrated Authentication in node.js Client, look for NPM packages, free or commercial, but all of that that would be just an unnecessary effort. And once you buy an application running in Python on Linux, you will be spending time on the same problem again.

mbarben

Two other suggestions:

If you are using PostMan - when you generate the code feature to make the request does it include the boilerplate to include the NTLM
Have you tried just hitting a static resource (that is not authenticated by Content Server, but is protected by NTLM) to confirm that it is not the node library?

Mchoeti

Hi all ! Thanks for the reply. I found the solution for the problem. First of all there was a need to create a CGU, then i added the role Anonymous on it. After that i change my destination REST Call to the new created CGI,

Now i am able to authenticate at firstwith user and password. This gives me a ticket. A this ticket is valid for my calls.

And to your Postman question. Well the Postman feature gives me the right snip but does not include the NTLM header and if you have configured your CS the hard way the code feature is not working. I mean dooing REST Calls in Postman is working because, a manually sent REST call will always work.

To sum it up. Thanks guys for the help. Awesome

Cheers Ch