How to authenticate against Windows Authentication from CFINVOKE

Question:

Using cfinvoke to call a MS SQL 2K web service that is behind Windows Authentication in IIS.

The username and password attributes do not work as they are in clear text.  I tried doing this and it didnt work:

<cfinvoke
  webservice = "http://localhost/mywebservice?wsdl"
  method = "myMethod"
  mytext = "SOAP Test"
  username = "username@NTdomain"
  password = "password"
  returnVariable = "foo"/>

How do I authenticate it?
PSLLCAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pinaldaveCommented:
Hi PSLLC,
!--- Invoke NTSecurity CFC as if it were in the same directory as your calling CFML page. If it is not, you can use dot notation to refer to its location. Read the ColdFusion MX documentation for more details. --->
<cfinvoke
component = "NTSecurity"
method = "authenticateAndGetGroups"
domain = "#Request.myDomain#"
userid = "#Form.UserID#"
passwd = "#Form.Passwd#"
returnVariable = "GetUsers">

http://www.macromedia.com/devnet/mx/coldfusion/articles/ntdomain_1.html


Regards,
---Pinal
0
sigmaconCommented:
I think pinaldave may have misunderstood your question. You are trying to figure out how to authenticate against a MS SQL 2K Webservice, correct? The first guess I would make is proper syntax for the nt login name, which should be:

\\domain\user.name

<cfinvoke
  webservice = "http://localhost/mywebservice?wsdl"
  method = "myMethod"
  mytext = "SOAP Test"
  username = "\\domain\user.name"
  password = "password"
  returnVariable = "foo"/>

If that does not work, please post the most detailed error message you can come up with here.
0
PSLLCAuthor Commented:
Thanks to both of you - Pinal - hello from your ol' pals in LA.

Yes, I think Pinal misundertood. The web service is on a serparate machine and we need to authenticate against that, not on the same machine.

sigmacon - i dont think your suggestion works because the username password combo of cfinvoke is sent as clear text (Basic Authentication), which is a different authentication method than the web service is behind (Windows Integrated Authentication).  I tried the \\domain\user.name and receieved a 401 error, which is just access denied.  So the question remains how to authenticate :

 Error Occurred While Processing Request
Could not perform web service invocation "mysp_test" because AxisFault faultCode: {http://xml.apache.org/axis/}HTTP faultSubcode: faultString: (401)Access Denied faultActor: faultNode: faultDetail: {}string: return code: 401 &lt;!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 3.2 Final//EN&quot;&gt; &lt;html dir=ltr&gt; &lt;head&gt; &lt;style&gt; a:link {font:8pt/11pt verdana; color:FF0000} a:visited {font:8pt/11pt verdana; color:#4e4e4e} &lt;/style&gt; &lt;META NAME=&quot;ROBOTS&quot; CONTENT=&quot;NOINDEX&quot;&gt; &lt;title&gt;You are not authorized to view this page&lt;/title&gt; &lt;META HTTP-EQUIV=&quot;Content-Type&quot; Content=&quot;text-html; charset=Windows-1252&quot;&gt; &lt;/head&gt; &lt;script&gt; function Homepage(){ &lt;!-- // in real bits, urls get returned to our script like this: // res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm //For testing use DocURL = &quot;res://shdocvw.dll/http_404.htm#https://www.microsoft.com/bar.htm"; DocURL=document.URL; /...
 
The error occurred in D:\...mysoap.cfm: line 17

15 :   webservice = "http://mydomain/soap/soap?wsdl"
16 :   method = "mysp_test"
17 :   mytext = "SOAP Test"
18 :   username = "\\mydomain\username"
19 :   password = "password"

Please try the following:

    * Check the ColdFusion documentation to verify that you are using the correct syntax.
    * Search the Knowledge Base to find a solution to your problem.

Browser         Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Remote Address         68.123.90.162
Referrer         
Date/Time         28-Oct-04 11:33 AM
Stack Trace
at cfmysoap2ecfm1545139204.runPage(D:\...mysoap.cfm:17)

coldfusion.xml.rpc.ServiceProxy$ServiceInvocationException: Could not perform web service invocation "mysp_test" because AxisFault
 faultCode: {http://xml.apache.org/axis/}HTTP
 faultSubcode:
 faultString: (401)Access Denied
 faultActor:
 faultNode:
 faultDetail:
      {}string: return code:  401
&lt;!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 3.2 Final//EN&quot;&gt;
&lt;html dir=ltr&gt;

&lt;head&gt;
&lt;style&gt;
a:link                  {font:8pt/11pt verdana; color:FF0000}
a:visited               {font:8pt/11pt verdana; color:#4e4e4e}
&lt;/style&gt;

&lt;META NAME=&quot;ROBOTS&quot; CONTENT=&quot;NOINDEX&quot;&gt;

&lt;title&gt;You are not authorized to view this page&lt;/title&gt;

&lt;META HTTP-EQUIV=&quot;Content-Type&quot; Content=&quot;text-html; charset=Windows-1252&quot;&gt;
&lt;/head&gt;

&lt;script&gt;
function Homepage(){
&lt;!--
// in real bits, urls get returned to our script like this:
// res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm

      //For testing use DocURL = &quot;res://shdocvw.dll/http_404.htm#https://www.microsoft.com/bar.htm";
      DocURL=document.URL;
      
      /...
      at coldfusion.xml.rpc.ServiceProxy.invokeImpl(Unknown Source)
      at coldfusion.xml.rpc.ServiceProxy.invoke(Unknown Source)
      at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:1582)
      at coldfusion.tagext.lang.InvokeTag.doEndTag(InvokeTag.java:372)
      at coldfusion.runtime.CfJspPage._emptyTag(CfJspPage.java:1872)
      at cfmysoap2ecfm1545139204.runPage(D:\...mysoap.cfm:17)
      at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:147)
      at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:357)
      at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:62)
      at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:107)
      at coldfusion.filter.PathFilter.invoke(PathFilter.java:80)
      at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:47)
      at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:52)
      at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
      at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:35)
      at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:43)
      at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
      at coldfusion.CfmServlet.service(CfmServlet.java:105)
      at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91)
      at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
      at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:252)
      at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:527)
      at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:192)
      at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:348)
      at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:451)
      at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:294)
      at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

sigmaconCommented:
Sorry about my idea not working. Did you cut of the beginning of the stack trace?

You said the service is on a different computer, but you are using localhost?

Please try this:

<cfinvoke
  webservice = "http://user:password@localhost/mywebservice?wsdl"
  ...

the user name and password in the invocation I think are for the service itself, not for the transport layer authentication. Got my suggestion from:

http://cookbook.soaplite.com/#accessing%20service%20with%20basic%20authentication
0
pinaldaveCommented:
>>>  Thanks to both of you - Pinal - hello from your ol' pals in LA.
Well, I do not have to teach to my teachers. I will be quitely subscribed to this thread and listen and learn.
Now, I figured it out who is PSLLC. :=))
Regards,
---Pinal
0
sigmaconCommented:
Well, Pinal, who is PSLLC - and what did you learn from him or her ??
0
PSLLCAuthor Commented:
Pinal is being very gracious - we worked together when he lived in Los Angeles.  Pinal began his ColdFusion career with us.
0
pinaldaveCommented:
Who is PSLLC -
>>> The gang of smartest ColdFusion Programmer I ever knew in my life.

What did you learn from him or her ??
>>> They tought me ColdFusion from scratch. ( I think from them I have first time heard the word CF)
Where ever I am due to them.

Regards,
---Pinal
0
pinaldaveCommented:
I am so happy to put this in writing. That PSLLC have started my career in real world.
Regards,
---Pinal
0
sigmaconCommented:
Well, pretty cool. Back to the question: Did anything help so far?
0
PSLLCAuthor Commented:
hmm.  Not yet.  Again, the username and password

I think this may not be possible.  I found some documentation on CFHTTP's use of username and password, and they are also sent as clear text and the documentation says that those attributes cannot be used to authenticate a Windows Domain.  Basically, we're this is leaving me is this - we probably have to create a SSL connection, and then send the username/password via that using clear text, so that way it'd be encrypted.

BUT - I'd still rather be able to authenticate the webservice using cfinvoke!!!  Argh!!

0
sigmaconCommented:
You are right, for basic authentication, the password is in clear text and SSL is preferred.

What are the settings in IIS that is serving the request for the web service? If it's Basic Authentication, the method I suggested should work. If it is integrated authentication, then the whole thing looks a lot more complicated. In that case, I believe, the user with which the CF service is running needs to be added to the list of allowed users in the security settings on the remote IIS server. Again, you say the servers is remote, but you are testing against localhost?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sigmaconCommented:
My assumption about when username / password come into play was wrong - they ARE used for basic authenticaton - but what is your webserver configured to? I am pretty confident that it doesn't work with Integrated Windows Authentication using username / password. The documentation specifically mentions http headers.
0
PSLLCAuthor Commented:
Here's the final tally I think.

I had the web server set to Windows Authentication, but not by accident, I wanted to see if we could authenticate against a Windows Domain, which we cannot.

Its been changed to basic authentication, and what we'll be doing is just creating an SSL connection to the destination server to ensure the transaction is secure/encrypted.

Thanks for all of your help.
0
pinaldaveCommented:
Thank you. =))
PSLLC rocks!
Hello to J&J, B&B and brothers.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.