We have a client we need to communicate with and their API page only supports NTLM authentication. Our site runs classic ASP (jScript) so forgive that the syntax is slightly different than the what you would expect normally with VB. They have provided us with the user/password/domain details that should let us connect to them.
What I'm using is (I've also left commented out a few of the other options I've tried):
var oXmlHTTP = Server.CreateObject("Msxml2.ServerXMLHTTP.6.0");
oXmlHTTP.open("GET", "EXTERNAL_URL", false, "THEIR_DOMAIN\THEIR_USER", "PASSWORD");
//var strB64 = base64_encode("THEIR_DOMAIN\THEIR_USER" + ":" + "PASSWORD");
//oXmlHTTP.setRequestHeader("Authenticate", "NTLM "+strB64);
//oXmlHTTP.setRequestHeader("Authorization", "NTLM "+strB64);
//oXmlHTTP.setRequestHeader("WWW-Authenticate", "NTLM "+strB64);
oXmlHTTP.send();
Response.write(oXmlHTTP.getAllResponseHeaders());
and the response I get back is a 401 unauthorised header, after trying lots of things and then digging into the the requests which are really going on using wireshark I can see the following 3 connections:
78 3.003575 MY_IP THEIR_IP HTTP 320 GET EXTERNAL_URL HTTP/1.1
83 3.031194 MY_IP THEIR_IP HTTP 398 GET EXTERNAL_URL HTTP/1.1 , NTLMSSP_NEGOTIATE
85 3.061152 MY_IP THEIR_IP HTTP 1014 GET EXTERNAL_URL HTTP/1.1 , NTLMSSP_AUTH, User: MYLOCALDOMAIN\THEIR_DOMAINTHEIR_USER
So what it is doing is stripping out the backslash from the username I provide and adding my local computers domain to the request, I'm sure this is because its a form of windows authentication method but we are not part of their domain, so is there any way I can force it to use the domain I provide?
As soon as I posted this I had a wild idea....
an extra slash between the domain and username fixes it.