NTLM propagation

The control API command HTTP_NTLM allows adding NTLM credentials to an Airlock Gateway session. In order to use NTLM authentication for the back-end application, the option "SSO credential propagation" on the mapping must be set to "NTLM".

The command syntax is:

ntlm-command              = ntlm-command-name "=" ntlm-command-value
ntlm-command-name         = "HTTP_NTLM"
ntlm-command-value        = ntlm-definitions
ntlm-definitions          = ntlm-definition [ "," ntlm-definitions ]
ntlm-definition           = ntlm-value [ "@" mapping-name ]
                            ;at this place 'ntlm-value' must be percent encoded

The ntlm-value must be supplied in the format username:password or domainname\username:password. If no mapping name is provided in ntlm-definition the scope of the definition is global, i.e., it is valid on all mappings. When global credentials are set, all mapping-specific credentials defined so far are removed. Since a back-end request may only use a single set of credentials, global definitions will only be used for a back-end request if no mapping-specific definition is available. Existing NTLM credentials are removed from an Airlock Gateway session if the ntlm-definition is empty.

The pseudo code examples below show how to set the NTLM credentials using the control API.

Pseudo code:

response.header="Set-Cookie: AL_CONTROL="+URL_Encode("HTTP_NTLM="+URL_Encode(UTF8_Encode("username:password"))+"@mapping1")

Results in:

Set-Cookie: AL_CONTROL=HTTP_NTLM%3Dusername%253Apassword%40mapping1

Pseudo code:

response.header="Set-Cookie: AL_CONTROL="+URL_Encode("HTTP_NTLM="+URL_Encode(UTF8_Encode("domainname\\username:password"))+"@mapping2")

Results in:

Set-Cookie: AL_CONTROL=HTTP_NTLM%3Ddomainname%255Cusername%253Apassword%40mapping2

The examples shown above use the pseudo function UTF8_Encode(). Airlock Gateway only performs a URL_Decode() and does not require UTF-8 encoding. However, the back-end application might require additional encodings, such as UTF-8 or ISO-8859-1.