ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Error in NTLM Authentication

Post new topic  Reply to topic Goto page 1, 2  Next
 Error in NTLM Authentication « View previous topic :: View next topic » 
Author Message
ksrocks9
PostPosted: Thu Jul 16, 2015 9:20 pm    Post subject: Error in NTLM Authentication Reply with quote

Apprentice

Joined: 11 Mar 2015
Posts: 35

I tried to implement the NTLM authentication in IIB. I followed the instructions given in the IBM knowledge center. I am getting error 'Auth requested, but no security profile present. Ignoring.' . I created security profile in the MQ. Where I need the mention the Security profile name?

Thanks.
Back to top
View user's profile Send private message
mgk
PostPosted: Fri Jul 17, 2015 2:38 am    Post subject: Reply with quote

Padawan

Joined: 31 Jul 2003
Posts: 1638

You do not need to create a new security profile. You can simply use the built-in "Default Propagation" profile on the node using the bar editor. However, the error you show is only output when the Auth-Type is "Basic" auth, so it appears your configuration changes to use NTLM did not work. Did you restart the Server after making the change.

If you still can't get it working, please post more information, including all the commands you ran, and the platform you are using etc...

Kind regards,
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
Back to top
View user's profile Send private message
ksrocks9
PostPosted: Sat Jul 18, 2015 12:17 pm    Post subject: Reply with quote

Apprentice

Joined: 11 Mar 2015
Posts: 35

Thank MGK. Thanks for your help.
What you suggested me is correct I implemented NTLM successfully.

NTLM authentication Implementation Steps for outbound Request:

1) mqsichangeproperties broker_name -e IntegrationServerName -o ComIbmSocketConnectionManager
-n allowedAuthTypes -v "NTLM"
Run this command in IIB console.

2) mqsireportproperties broker_name -e IntegrationServerName
-o ComIbmSocketConnectionManager -r
To check the current outbound authentication setting.

3) Set Security Profile to "Default Propagation"
Bar file-> SOAP Request -> Properties -> Configure -> Security Profile = Default Propagation


Thanks ,
ksrocks
IIB Developer


Back to top
View user's profile Send private message
bdrummond
PostPosted: Mon Jan 11, 2016 8:06 am    Post subject: Reply with quote

Disciple

Joined: 06 May 2004
Posts: 164

Which version of IIB did you get this working on and did you have to add an APAR from IBM?
Back to top
View user's profile Send private message
ksrocks9
PostPosted: Tue Jan 12, 2016 2:07 pm    Post subject: Steps to implement NTLM authentication Reply with quote

Apprentice

Joined: 11 Mar 2015
Posts: 35

It's working in both IIB 9.0.0.2 & 9.0.0.3. I don't have APAR.

Steps to implement NTLM authentication Outbound and Inbound Requests:

Command for Outbound:
1) mqsichangeproperties broker_name -e IntegrationServerName -o ComIbmSocketConnectionManager
-n allowedAuthTypes -v "NTLM"
It allow the broker to authenticate by using the NTLM protocol.
or
mqsichangeproperties broker_name -e IntegrationServerName -o ComIbmSocketConnectionManager
-n allowedAuthTypes -v "IWA"
It allow the broker to authenticate by using any IWA(NTLM, Negotiate, Nego2) protocol.

Command to check the outbound settings:
mqsireportproperties broker_name -e IntegrationServerName
-o ComIbmSocketConnectionManager -r
In the output
allowedAuthTypes='PropertyValue'

Where PropertyValue is NTLM, Negotiate, Nego2, None, or Basic. If multiple values are set, they are separated by a semicolon.

Command for Inbound Request:
2) mqsichangeproperties Broker_Name -e ExecutionGroupName -o HTTPConnector -n integratedWindowsAuthentication -v "NTLM;Negotiate"
It allows to communicate with NTLM and Negotiate.
or

mqsichangeproperties Broker_Name -e ExecutionGroupName -o HTTPConnector -n integratedWindowsAuthentication -v "NTLM"

It allows to communicate only with NTLM protocol.

To check the inbound settings:
mqsireportproperties broker_name -e IntegrationServerName -o ConnectorType -r
Make sure it in the output
IntegratedWindowsAuthentication='PropertyValue'
Where PropertyValue is NTLM, Negotiate, Nego2, None, or Basic. If multiple values are set, they are separated by a semicolon.

3) Set Security Profile to "Default Propagation" for outbound requests
Bar file-> SOAP Request -> Properties -> Configure -> Security Profile = Default Propagation

We don't need anything for inbound authentication.


Thanks,
KS
IIB Developer.
Back to top
View user's profile Send private message
bdrummond
PostPosted: Wed Jan 13, 2016 2:57 am    Post subject: Reply with quote

Disciple

Joined: 06 May 2004
Posts: 164

Hi KS,

Many thanks for your post. I've done all of those settings (and followed the Infocenter also) but I'm still getting an error of HTTP/1.1 407 Proxy Authentication Required.
I am not using the Windows IIB service id for authentication so am setting the appropriate values in the message properties (IdentitySourceToken, IdentitySourcePassword etc) but to no avail.

My Integration Server properties are as follows:

Code:
ComIbmSocketConnectionManager
  uuid='ComIbmSocketConnectionManager'
  userTraceLevel='none'
  traceLevel='none'
  userTraceFilter='none'
  traceFilter='none'
  vrmfIntroducedAt='7.0.0.0'
  resourceStatsReportingOn='inactive'
  resourceStatsMeasurements='<ResourceStatsSwitches ResourceType="Sockets" version='1'> <Measurement name="TotalSockets"
 collect="on" /> <Measurement name="TotalMessages" collect="on" /> <Measurement name="TotalDataSent_KB" collect="on" />
<Measurement name="TotalDataReceived_KB" collect="on" /> <Measurement name="SentMessageSize_0-1KB" collect="on" /> <Meas
urement name="SentMessageSize_1KB-10KB" collect="on" /> <Measurement name="SentMessageSize_10KB-100KB" collect="on" /> <
Measurement name="SentMessageSize_100KB-1MB" collect="on" /> <Measurement name="SentMessageSize_1MB-10MB" collect="on" /
> <Measurement name="SentMessageSize_Over10MB" collect="on" /> <Measurement name="ReceivedMessageSize_0-1KB" collect="on
" /> <Measurement name="ReceivedMessageSize_1KB-10KB" collect="on" /> <Measurement name="ReceivedMessageSize_10KB-100KB"
 collect="on" /> <Measurement name="ReceivedMessageSize_100KB-1MB" collect="on" /> <Measurement name="ReceivedMessageSiz
e_1MB-10MB" collect="on" /> <Measurement name="ReceivedMessageSize_Over10MB" collect="on" /> </ResourceStatsSwitches>'
  activityLogSupported='no'
  maxSocketAge='4'
  maxKeepAliveRequests='90'
  resetCollectionStatistics=''
  tcpNoDelay='Platform Default'
  tcpNoDelaySSL='Platform Default'
  preemptiveAuthType='Ntlm'
  allowNtlmNegotiation='TRUE'
  negotiateMutualAuth='FALSE'
  allowedAuthTypes='Ntlm; Negotiate'



I might have to check with the Network team in order to see what the Proxy server is requiring for authentication.

Cheers.
Back to top
View user's profile Send private message
bdrummond
PostPosted: Thu Jan 14, 2016 2:31 am    Post subject: Reply with quote

Disciple

Joined: 06 May 2004
Posts: 164

Looks like the Broker is sending the Broker Service Id in order to authenticate and not the username/password that is required to authenticate. (HTTP/1.1 403 Forbidden)
I guess I'll need to create a Security Profile and not use the 'Default Propagation'?
Back to top
View user's profile Send private message
mgk
PostPosted: Thu Jan 14, 2016 4:36 am    Post subject: Reply with quote

Padawan

Joined: 31 Jul 2003
Posts: 1638

The support for IWA/NTLM/basicAuth etc is for direct connections to the remote server. If you need to go via a proxy and are using SSL, you can try using the ProxyConnectHeaders LocalEnvironment override to send the proxy 'Proxy-Authorization' header information as documented on this page:

http://www-01.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/ac04595_.htm?lang=en

If you are not using SSL you can set the proxy auth header directly in the HTTPRequestHeaders, as documented on the same page above (in the same section as the "ProxyConnectHeaders").

Kind regards,
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
Back to top
View user's profile Send private message
balu2608
PostPosted: Wed Jul 11, 2018 2:11 pm    Post subject: Ntlm authentication is not working in IIB on linux Reply with quote

Apprentice

Joined: 18 May 2012
Posts: 39

As mentioned in the pages, configured all the properties..
It is working in the windows iib. When we deploy the bar In Linux it is giving 401 un authorized..
The same bar is working in windows integration node.

Iib version:-9.0.0.3
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Jul 12, 2018 4:55 am    Post subject: Re: Ntlm authentication is not working in IIB on linux Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

balu2608 wrote:
As mentioned in the pages, configured all the properties..
It is working in the windows iib. When we deploy the bar In Linux it is giving 401 un authorized..
The same bar is working in windows integration node.

Iib version:-9.0.0.3


This post is a) 2 years old and b) discussing NTLM, which is a Windows specific security profile. It's not surprising that the instance of IIB on the OS which supports NTLM can handle it where the instance on the OS which doesn't support it can't, and correctly returns a 401 because it can't successfully authorize the call.

Unless you'd care to add the steps you took to enable NTLM support on Linux?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
balu2608
PostPosted: Sat Jul 14, 2018 12:04 pm    Post subject: Ntlm authentication is not working in IIB on linux Reply with quote

Apprentice

Joined: 18 May 2012
Posts: 39

@Vitor, Thanks for the reply, a) i know that the post is 2 years back, but im facing the same issue
2) i followed all the steps its better to help us in solving problem.

NTLM in IIB 9.0.03 on AIX is supported or not?

if you know the solution or suggestion , kindly give us
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sun Jul 15, 2018 1:33 am    Post subject: Re: Ntlm authentication is not working in IIB on linux Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

balu2608 wrote:
@Vitor, Thanks for the reply, a) i know that the post is 2 years back, but im facing the same issue
2) i followed all the steps its better to help us in solving problem.

NTLM in IIB 9.0.03 on AIX is supported or not?

if you know the solution or suggestion , kindly give us

As Vitor specified, the real question is what steps do you need to follow on AIX to enable NTLM (kerberos?)?
Once those have been taken you can look at what you need to do in IIB to make use of it.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
balu2608
PostPosted: Sun Jul 15, 2018 1:45 pm    Post subject: Ntlm authentication is not working in IIB on AIX Reply with quote

Apprentice

Joined: 18 May 2012
Posts: 39

yes i agree with both of you,

i have followed all the steps mentioned in the IBM links, but no luck.

i just concentrated only on the NTLM,

Kerberos is not my issue, i have issue only with NTLM
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sun Jul 15, 2018 4:54 pm    Post subject: Re: Ntlm authentication is not working in IIB on AIX Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

balu2608 wrote:
yes i agree with both of you,

i have followed all the steps mentioned in the IBM links, but no luck.

i just concentrated only on the NTLM,

Kerberos is not my issue, i have issue only with NTLM

Have you looked at http://www.tutorialspoint.com/unix_commands/ntlm_auth.htm and what have you done about it?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
balu2608
PostPosted: Wed Jul 25, 2018 11:32 am    Post subject: Ntlm authentication is not working in IIB on AIX Reply with quote

Apprentice

Joined: 18 May 2012
Posts: 39

Guys, I looked all the blogs ,

raised PMR with IBm,..

They have cleared that no NTLM on IIB AIX.

So i have used JAVA to connects.

thanks for all your support.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Error in NTLM Authentication
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.