Solved

How to authenticate against Windows Authentication from CFINVOKE

Posted on 2004-10-27
1,245 Views
Last Modified: 2013-12-24
Question:

Using cfinvoke to call a MS SQL 2K web service that is behind Windows Authentication in IIS.

The username and password attributes do not work as they are in clear text.  I tried doing this and it didnt work:

<cfinvoke
  webservice = "http://localhost/mywebservice?wsdl"
  method = "myMethod"
  mytext = "SOAP Test"
  username = "username@NTdomain"
  password = "password"
  returnVariable = "foo"/>

How do I authenticate it?
0
Question by:PSLLC
    15 Comments
     
    LVL 22

    Assisted Solution

    by:pinaldave
    Hi PSLLC,
    !--- Invoke NTSecurity CFC as if it were in the same directory as your calling CFML page. If it is not, you can use dot notation to refer to its location. Read the ColdFusion MX documentation for more details. --->
    <cfinvoke
    component = "NTSecurity"
    method = "authenticateAndGetGroups"
    domain = "#Request.myDomain#"
    userid = "#Form.UserID#"
    passwd = "#Form.Passwd#"
    returnVariable = "GetUsers">

    http://www.macromedia.com/devnet/mx/coldfusion/articles/ntdomain_1.html


    Regards,
    ---Pinal
    0
     
    LVL 8

    Expert Comment

    by:sigmacon
    I think pinaldave may have misunderstood your question. You are trying to figure out how to authenticate against a MS SQL 2K Webservice, correct? The first guess I would make is proper syntax for the nt login name, which should be:

    \\domain\user.name

    <cfinvoke
      webservice = "http://localhost/mywebservice?wsdl"
      method = "myMethod"
      mytext = "SOAP Test"
      username = "\\domain\user.name"
      password = "password"
      returnVariable = "foo"/>

    If that does not work, please post the most detailed error message you can come up with here.
    0
     

    Author Comment

    by:PSLLC
    Thanks to both of you - Pinal - hello from your ol' pals in LA.

    Yes, I think Pinal misundertood. The web service is on a serparate machine and we need to authenticate against that, not on the same machine.

    sigmacon - i dont think your suggestion works because the username password combo of cfinvoke is sent as clear text (Basic Authentication), which is a different authentication method than the web service is behind (Windows Integrated Authentication).  I tried the \\domain\user.name and receieved a 401 error, which is just access denied.  So the question remains how to authenticate :

     Error Occurred While Processing Request
    Could not perform web service invocation "mysp_test" because AxisFault faultCode: {http://xml.apache.org/axis/}HTTP faultSubcode: faultString: (401)Access Denied faultActor: faultNode: faultDetail: {}string: return code: 401 &lt;!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 3.2 Final//EN&quot;&gt; &lt;html dir=ltr&gt; &lt;head&gt; &lt;style&gt; a:link {font:8pt/11pt verdana; color:FF0000} a:visited {font:8pt/11pt verdana; color:#4e4e4e} &lt;/style&gt; &lt;META NAME=&quot;ROBOTS&quot; CONTENT=&quot;NOINDEX&quot;&gt; &lt;title&gt;You are not authorized to view this page&lt;/title&gt; &lt;META HTTP-EQUIV=&quot;Content-Type&quot; Content=&quot;text-html; charset=Windows-1252&quot;&gt; &lt;/head&gt; &lt;script&gt; function Homepage(){ &lt;!-- // in real bits, urls get returned to our script like this: // res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm //For testing use DocURL = &quot;res://shdocvw.dll/http_404.htm#https://www.microsoft.com/bar.htm&quot; DocURL=document.URL; /...
     
    The error occurred in D:\...mysoap.cfm: line 17

    15 :   webservice = "http://mydomain/soap/soap?wsdl"
    16 :   method = "mysp_test"
    17 :   mytext = "SOAP Test"
    18 :   username = "\\mydomain\username"
    19 :   password = "password"

    Please try the following:

        * Check the ColdFusion documentation to verify that you are using the correct syntax.
        * Search the Knowledge Base to find a solution to your problem.

    Browser         Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
    Remote Address         68.123.90.162
    Referrer         
    Date/Time         28-Oct-04 11:33 AM
    Stack Trace
    at cfmysoap2ecfm1545139204.runPage(D:\...mysoap.cfm:17)

    coldfusion.xml.rpc.ServiceProxy$ServiceInvocationException: Could not perform web service invocation "mysp_test" because AxisFault
     faultCode: {http://xml.apache.org/axis/}HTTP
     faultSubcode:
     faultString: (401)Access Denied
     faultActor:
     faultNode:
     faultDetail:
          {}string: return code:  401
    &lt;!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 3.2 Final//EN&quot;&gt;
    &lt;html dir=ltr&gt;

    &lt;head&gt;
    &lt;style&gt;
    a:link                  {font:8pt/11pt verdana; color:FF0000}
    a:visited               {font:8pt/11pt verdana; color:#4e4e4e}
    &lt;/style&gt;

    &lt;META NAME=&quot;ROBOTS&quot; CONTENT=&quot;NOINDEX&quot;&gt;

    &lt;title&gt;You are not authorized to view this page&lt;/title&gt;

    &lt;META HTTP-EQUIV=&quot;Content-Type&quot; Content=&quot;text-html; charset=Windows-1252&quot;&gt;
    &lt;/head&gt;

    &lt;script&gt;
    function Homepage(){
    &lt;!--
    // in real bits, urls get returned to our script like this:
    // res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm

          //For testing use DocURL = &quot;res://shdocvw.dll/http_404.htm#https://www.microsoft.com/bar.htm&quot;
          DocURL=document.URL;
          
          /...
          at coldfusion.xml.rpc.ServiceProxy.invokeImpl(Unknown Source)
          at coldfusion.xml.rpc.ServiceProxy.invoke(Unknown Source)
          at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:1582)
          at coldfusion.tagext.lang.InvokeTag.doEndTag(InvokeTag.java:372)
          at coldfusion.runtime.CfJspPage._emptyTag(CfJspPage.java:1872)
          at cfmysoap2ecfm1545139204.runPage(D:\...mysoap.cfm:17)
          at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:147)
          at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:357)
          at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:62)
          at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:107)
          at coldfusion.filter.PathFilter.invoke(PathFilter.java:80)
          at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:47)
          at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:52)
          at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
          at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:35)
          at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:43)
          at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
          at coldfusion.CfmServlet.service(CfmServlet.java:105)
          at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91)
          at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
          at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:252)
          at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:527)
          at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:192)
          at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:348)
          at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:451)
          at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:294)
          at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

    0
     
    LVL 8

    Expert Comment

    by:sigmacon
    Sorry about my idea not working. Did you cut of the beginning of the stack trace?

    You said the service is on a different computer, but you are using localhost?

    Please try this:

    <cfinvoke
      webservice = "http://user:password@localhost/mywebservice?wsdl"
      ...

    the user name and password in the invocation I think are for the service itself, not for the transport layer authentication. Got my suggestion from:

    http://cookbook.soaplite.com/#accessing%20service%20with%20basic%20authentication
    0
     
    LVL 22

    Expert Comment

    by:pinaldave
    >>>  Thanks to both of you - Pinal - hello from your ol' pals in LA.
    Well, I do not have to teach to my teachers. I will be quitely subscribed to this thread and listen and learn.
    Now, I figured it out who is PSLLC. :=))
    Regards,
    ---Pinal
    0
     
    LVL 8

    Expert Comment

    by:sigmacon
    Well, Pinal, who is PSLLC - and what did you learn from him or her ??
    0
     

    Author Comment

    by:PSLLC
    Pinal is being very gracious - we worked together when he lived in Los Angeles.  Pinal began his ColdFusion career with us.
    0
     
    LVL 22

    Expert Comment

    by:pinaldave
    Who is PSLLC -
    >>> The gang of smartest ColdFusion Programmer I ever knew in my life.

    What did you learn from him or her ??
    >>> They tought me ColdFusion from scratch. ( I think from them I have first time heard the word CF)
    Where ever I am due to them.

    Regards,
    ---Pinal
    0
     
    LVL 22

    Expert Comment

    by:pinaldave
    I am so happy to put this in writing. That PSLLC have started my career in real world.
    Regards,
    ---Pinal
    0
     
    LVL 8

    Expert Comment

    by:sigmacon
    Well, pretty cool. Back to the question: Did anything help so far?
    0
     

    Author Comment

    by:PSLLC
    hmm.  Not yet.  Again, the username and password

    I think this may not be possible.  I found some documentation on CFHTTP's use of username and password, and they are also sent as clear text and the documentation says that those attributes cannot be used to authenticate a Windows Domain.  Basically, we're this is leaving me is this - we probably have to create a SSL connection, and then send the username/password via that using clear text, so that way it'd be encrypted.

    BUT - I'd still rather be able to authenticate the webservice using cfinvoke!!!  Argh!!

    0
     
    LVL 8

    Accepted Solution

    by:
    You are right, for basic authentication, the password is in clear text and SSL is preferred.

    What are the settings in IIS that is serving the request for the web service? If it's Basic Authentication, the method I suggested should work. If it is integrated authentication, then the whole thing looks a lot more complicated. In that case, I believe, the user with which the CF service is running needs to be added to the list of allowed users in the security settings on the remote IIS server. Again, you say the servers is remote, but you are testing against localhost?
    0
     
    LVL 8

    Expert Comment

    by:sigmacon
    My assumption about when username / password come into play was wrong - they ARE used for basic authenticaton - but what is your webserver configured to? I am pretty confident that it doesn't work with Integrated Windows Authentication using username / password. The documentation specifically mentions http headers.
    0
     

    Author Comment

    by:PSLLC
    Here's the final tally I think.

    I had the web server set to Windows Authentication, but not by accident, I wanted to see if we could authenticate against a Windows Domain, which we cannot.

    Its been changed to basic authentication, and what we'll be doing is just creating an SSL connection to the destination server to ensure the transaction is secure/encrypted.

    Thanks for all of your help.
    0
     
    LVL 22

    Expert Comment

    by:pinaldave
    Thank you. =))
    PSLLC rocks!
    Hello to J&J, B&B and brothers.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Have you ever sent email via ColdFusion and thought of tracking this mail to capture the exact date and time when the message was opened ?  If yes, then this article is for you ! First we need a table user_email with columns user_id , email , sub…
    Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
    In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    856 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now