27 April 2012 13:49
Once upon a quarter I encounter deployments with services which are only available through NTLM auth. Now just to make sure, before I started to write custom client behavior, can anyone confirm that NTLM is truly not supported OOB in WCF-Custom adapter in BT2010, and I am not missing anything? Thanks.
28 April 2012 4:57
Which binding are you using for the Custom port, NTLM is supported OOB for basichttpbinding.
MCTS: BizTalk Server 2010,BizTalk Server 2006 and WCF
Mark As Answer or Vote As Helpful if this helps.
28 April 2012 7:51
For basicHttpbinding I was trying to set arbitrary NTLM credentials in Credentials tab. They are ignored :(
I have read this rather pessimistic article http://blog.diktator.org/index.php/2010/10/22/using-wcf-in-biztalk-with-web-services-requiring-ntlm-authentication/ where it is stated that there is no way around besides attaching own ClientCredentials behavior. Just wanted to check if the situation remains same in BT2010.
29 April 2012 9:03
I believe that Ntlm works well with the various binding protocol in BizTalk. It will just always use the user running the current Host Instance. So instead of trying to add the user on the Port, you should create a Host and Host Instance, running with the user authenticated for the Service; Now setting Transport Security to Ntlm should work just fine?
Morten la Cour
29 April 2012 9:40Yes this would be the first thing to think of. Unfortunately the adapter connects to separate domain, so it's not possible to setup Host instance to run as a remote user. I'm going with the approach suggested in this post: http://blog.diktator.org/index.php/2010/10/22/using-wcf-in-biztalk-with-web-services-requiring-ntlm-authentication/
Basically I extended the ClientCredentials class to provide the required windows credentials and added it to clientCredentials behavior extension to WCF-Custom adapter behaviors. It worked. Just I thought it could be something out-of-the-box :)
- Diedit oleh Ilya Oussov 29 April 2012 9:41
29 April 2012 9:52
Ok, I was under the impression that the Ntlm protocol was supposed to validate the user on the domain before sending from client to server, so that if cross-domains were used, you should either use a different security model (not Ntlm) or set up SSO? But I could be wrong, anybody?
Morten la Cour
29 April 2012 10:27
Ntlm credentials are being validated on the remote server, not on the client. In my situation the remote DC is not available to BizTalk due to maybe VPN policies, hence I can only rely on Ntlm.
As it is said in http://en.wikipedia.org/wiki/NTLM "NTLM is still widely used in situations where a domain controller is not available or is unreachable. For example, NTLM would be used if a client is not Kerberos capable, the server is not joined to a domain, or the user is remotely authenticating over the web."
Unfortunately primitive security models are not supported by the server which is MSCRM 2011.
SSO does not support Windows auth for send ports: http://msdn.microsoft.com/en-us/library/bb743477(v=bts.20).aspx