The control API command HTTP_NTLM
allows adding NTLM credentials to an Airlock Gateway session. In order to use NTLM authentication for the back-end application, the option "SSO credential propagation" on the mapping must be set to "NTLM".
The command syntax is:
;; HTTP_NTLM ntlm-command = ntlm-command-name "=" ntlm-command-value ntlm-command-name = "HTTP_NTLM" ntlm-command-value = ntlm-definitions ntlm-definitions = ntlm-definition [ "," ntlm-definitions ] ntlm-definition = ntlm-value [ "@" mapping-name ] ;at this place 'ntlm-value' must be percent encoded
Note:
The ntlm-value
must be supplied in the format username:password
or domainname\username:password
. If no mapping name is provided in ntlm-definition
the scope of the definition is global, i.e., it is valid on all mappings. When global credentials are set, all mapping-specific credentials defined so far are removed. Since a back-end request may only use a single set of credentials, global definitions will only be used for a back-end request if no mapping-specific definition is available. Existing NTLM credentials are removed from an Airlock Gateway session if the ntlm-definition
is empty.
Example:
The pseudo code examples below show how to set the NTLM credentials using the control API.
Pseudo code:
response.header="Set-Cookie: AL_CONTROL="+URL_Encode("HTTP_NTLM="+URL_Encode(UTF8_Encode("username:password"))+"@mapping1")
Results in:
Set-Cookie: AL_CONTROL=HTTP_NTLM%3Dusername%253Apassword%40mapping1
Pseudo code:
response.header="Set-Cookie: AL_CONTROL="+URL_Encode("HTTP_NTLM="+URL_Encode(UTF8_Encode("domainname\\username:password"))+"@mapping2")
Results in:
Set-Cookie: AL_CONTROL=HTTP_NTLM%3Ddomainname%255Cusername%253Apassword%40mapping2
The examples shown above use the pseudo function UTF8_Encode()
. Airlock Gateway only performs a URL_Decode()
and does not require UTF-8 encoding. However, the back-end application might require additional encodings, such as UTF-8 or ISO-8859-1.