[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

How to authenticate against Windows Authentication from CFINVOKE

Posted on 2004-10-27
15
Medium Priority
?
1,298 Views
Last Modified: 2013-12-24
Question:

Using cfinvoke to call a MS SQL 2K web service that is behind Windows Authentication in IIS.

The username and password attributes do not work as they are in clear text.  I tried doing this and it didnt work:

<cfinvoke
  webservice = "http://localhost/mywebservice?wsdl"
  method = "myMethod"
  mytext = "SOAP Test"
  username = "username@NTdomain"
  password = "password"
  returnVariable = "foo"/>

How do I authenticate it?
0
Comment
Question by:PSLLC
  • 6
  • 5
  • 4
15 Comments
 
LVL 21

Assisted Solution

by:pinaldave
pinaldave earned 75 total points
ID: 12428107
Hi PSLLC,
!--- Invoke NTSecurity CFC as if it were in the same directory as your calling CFML page. If it is not, you can use dot notation to refer to its location. Read the ColdFusion MX documentation for more details. --->
<cfinvoke
component = "NTSecurity"
method = "authenticateAndGetGroups"
domain = "#Request.myDomain#"
userid = "#Form.UserID#"
passwd = "#Form.Passwd#"
returnVariable = "GetUsers">

http://www.macromedia.com/devnet/mx/coldfusion/articles/ntdomain_1.html


Regards,
---Pinal
0
 
LVL 8

Expert Comment

by:sigmacon
ID: 12429671
I think pinaldave may have misunderstood your question. You are trying to figure out how to authenticate against a MS SQL 2K Webservice, correct? The first guess I would make is proper syntax for the nt login name, which should be:

\\domain\user.name

<cfinvoke
  webservice = "http://localhost/mywebservice?wsdl"
  method = "myMethod"
  mytext = "SOAP Test"
  username = "\\domain\user.name"
  password = "password"
  returnVariable = "foo"/>

If that does not work, please post the most detailed error message you can come up with here.
0
 

Author Comment

by:PSLLC
ID: 12437426
Thanks to both of you - Pinal - hello from your ol' pals in LA.

Yes, I think Pinal misundertood. The web service is on a serparate machine and we need to authenticate against that, not on the same machine.

sigmacon - i dont think your suggestion works because the username password combo of cfinvoke is sent as clear text (Basic Authentication), which is a different authentication method than the web service is behind (Windows Integrated Authentication).  I tried the \\domain\user.name and receieved a 401 error, which is just access denied.  So the question remains how to authenticate :

 Error Occurred While Processing Request
Could not perform web service invocation "mysp_test" because AxisFault faultCode: {http://xml.apache.org/axis/}HTTP faultSubcode: faultString: (401)Access Denied faultActor: faultNode: faultDetail: {}string: return code: 401 &lt;!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 3.2 Final//EN&quot;&gt; &lt;html dir=ltr&gt; &lt;head&gt; &lt;style&gt; a:link {font:8pt/11pt verdana; color:FF0000} a:visited {font:8pt/11pt verdana; color:#4e4e4e} &lt;/style&gt; &lt;META NAME=&quot;ROBOTS&quot; CONTENT=&quot;NOINDEX&quot;&gt; &lt;title&gt;You are not authorized to view this page&lt;/title&gt; &lt;META HTTP-EQUIV=&quot;Content-Type&quot; Content=&quot;text-html; charset=Windows-1252&quot;&gt; &lt;/head&gt; &lt;script&gt; function Homepage(){ &lt;!-- // in real bits, urls get returned to our script like this: // res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm //For testing use DocURL = &quot;res://shdocvw.dll/http_404.htm#https://www.microsoft.com/bar.htm"; DocURL=document.URL; /...
 
The error occurred in D:\...mysoap.cfm: line 17

15 :   webservice = "http://mydomain/soap/soap?wsdl"
16 :   method = "mysp_test"
17 :   mytext = "SOAP Test"
18 :   username = "\\mydomain\username"
19 :   password = "password"

Please try the following:

    * Check the ColdFusion documentation to verify that you are using the correct syntax.
    * Search the Knowledge Base to find a solution to your problem.

Browser         Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Remote Address         68.123.90.162
Referrer         
Date/Time         28-Oct-04 11:33 AM
Stack Trace
at cfmysoap2ecfm1545139204.runPage(D:\...mysoap.cfm:17)

coldfusion.xml.rpc.ServiceProxy$ServiceInvocationException: Could not perform web service invocation "mysp_test" because AxisFault
 faultCode: {http://xml.apache.org/axis/}HTTP
 faultSubcode:
 faultString: (401)Access Denied
 faultActor:
 faultNode:
 faultDetail:
      {}string: return code:  401
&lt;!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 3.2 Final//EN&quot;&gt;
&lt;html dir=ltr&gt;

&lt;head&gt;
&lt;style&gt;
a:link                  {font:8pt/11pt verdana; color:FF0000}
a:visited               {font:8pt/11pt verdana; color:#4e4e4e}
&lt;/style&gt;

&lt;META NAME=&quot;ROBOTS&quot; CONTENT=&quot;NOINDEX&quot;&gt;

&lt;title&gt;You are not authorized to view this page&lt;/title&gt;

&lt;META HTTP-EQUIV=&quot;Content-Type&quot; Content=&quot;text-html; charset=Windows-1252&quot;&gt;
&lt;/head&gt;

&lt;script&gt;
function Homepage(){
&lt;!--
// in real bits, urls get returned to our script like this:
// res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm

      //For testing use DocURL = &quot;res://shdocvw.dll/http_404.htm#https://www.microsoft.com/bar.htm";
      DocURL=document.URL;
      
      /...
      at coldfusion.xml.rpc.ServiceProxy.invokeImpl(Unknown Source)
      at coldfusion.xml.rpc.ServiceProxy.invoke(Unknown Source)
      at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:1582)
      at coldfusion.tagext.lang.InvokeTag.doEndTag(InvokeTag.java:372)
      at coldfusion.runtime.CfJspPage._emptyTag(CfJspPage.java:1872)
      at cfmysoap2ecfm1545139204.runPage(D:\...mysoap.cfm:17)
      at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:147)
      at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:357)
      at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:62)
      at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:107)
      at coldfusion.filter.PathFilter.invoke(PathFilter.java:80)
      at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:47)
      at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:52)
      at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
      at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:35)
      at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:43)
      at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
      at coldfusion.CfmServlet.service(CfmServlet.java:105)
      at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91)
      at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
      at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:252)
      at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:527)
      at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:192)
      at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:348)
      at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:451)
      at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:294)
      at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
LVL 8

Expert Comment

by:sigmacon
ID: 12437500
Sorry about my idea not working. Did you cut of the beginning of the stack trace?

You said the service is on a different computer, but you are using localhost?

Please try this:

<cfinvoke
  webservice = "http://user:password@localhost/mywebservice?wsdl"
  ...

the user name and password in the invocation I think are for the service itself, not for the transport layer authentication. Got my suggestion from:

http://cookbook.soaplite.com/#accessing%20service%20with%20basic%20authentication
0
 
LVL 21

Expert Comment

by:pinaldave
ID: 12437533
>>>  Thanks to both of you - Pinal - hello from your ol' pals in LA.
Well, I do not have to teach to my teachers. I will be quitely subscribed to this thread and listen and learn.
Now, I figured it out who is PSLLC. :=))
Regards,
---Pinal
0
 
LVL 8

Expert Comment

by:sigmacon
ID: 12437758
Well, Pinal, who is PSLLC - and what did you learn from him or her ??
0
 

Author Comment

by:PSLLC
ID: 12437776
Pinal is being very gracious - we worked together when he lived in Los Angeles.  Pinal began his ColdFusion career with us.
0
 
LVL 21

Expert Comment

by:pinaldave
ID: 12437793
Who is PSLLC -
>>> The gang of smartest ColdFusion Programmer I ever knew in my life.

What did you learn from him or her ??
>>> They tought me ColdFusion from scratch. ( I think from them I have first time heard the word CF)
Where ever I am due to them.

Regards,
---Pinal
0
 
LVL 21

Expert Comment

by:pinaldave
ID: 12437807
I am so happy to put this in writing. That PSLLC have started my career in real world.
Regards,
---Pinal
0
 
LVL 8

Expert Comment

by:sigmacon
ID: 12437849
Well, pretty cool. Back to the question: Did anything help so far?
0
 

Author Comment

by:PSLLC
ID: 12438197
hmm.  Not yet.  Again, the username and password

I think this may not be possible.  I found some documentation on CFHTTP's use of username and password, and they are also sent as clear text and the documentation says that those attributes cannot be used to authenticate a Windows Domain.  Basically, we're this is leaving me is this - we probably have to create a SSL connection, and then send the username/password via that using clear text, so that way it'd be encrypted.

BUT - I'd still rather be able to authenticate the webservice using cfinvoke!!!  Argh!!

0
 
LVL 8

Accepted Solution

by:
sigmacon earned 300 total points
ID: 12438305
You are right, for basic authentication, the password is in clear text and SSL is preferred.

What are the settings in IIS that is serving the request for the web service? If it's Basic Authentication, the method I suggested should work. If it is integrated authentication, then the whole thing looks a lot more complicated. In that case, I believe, the user with which the CF service is running needs to be added to the list of allowed users in the security settings on the remote IIS server. Again, you say the servers is remote, but you are testing against localhost?
0
 
LVL 8

Expert Comment

by:sigmacon
ID: 12438350
My assumption about when username / password come into play was wrong - they ARE used for basic authenticaton - but what is your webserver configured to? I am pretty confident that it doesn't work with Integrated Windows Authentication using username / password. The documentation specifically mentions http headers.
0
 

Author Comment

by:PSLLC
ID: 12448212
Here's the final tally I think.

I had the web server set to Windows Authentication, but not by accident, I wanted to see if we could authenticate against a Windows Domain, which we cannot.

Its been changed to basic authentication, and what we'll be doing is just creating an SSL connection to the destination server to ensure the transaction is secure/encrypted.

Thanks for all of your help.
0
 
LVL 21

Expert Comment

by:pinaldave
ID: 12448248
Thank you. =))
PSLLC rocks!
Hello to J&J, B&B and brothers.
0

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Planning to migrate your EDB file(s) to a new or an existing Outlook PST file? This video will guide you how to convert EDB file(s) to PST. Besides this, it also describes, how one can easily search any item(s) from multiple folders or mailboxes…
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question