Hi Sergio, When talking with BMC support it is a limitation; only basic authentication is supported.
We did come up with a workaround and were able to consume the web service but I don't think it was a production worthy solution. As a proof of concept we used BURP Proxy to add on the NTLM authentication (see bottom of email for info). One function of BURP Proxy is to add NTLM credentials to a request. We put BURP Proxy on our test Remedy application server, pointed the filter that consumes the web service to localhost which was actually the BURP Proxy configured to proxy to our LANDesk server. It worked but since BURP's purpose is to intercept traffic all of that logging adds overhead as well as creates an intermediate log of all of the traffic/data. Putting man-in-the-middle software in a production environment as a workaround just didn't seem like a good idea. The LANDesk web services were sidelined so we never worked out a final solution. Instead of using the BURP Proxy we talked about two other solutions: 1. Our LANDesk team is also very handy with .NET and MS technologies. We tossed around the idea of them creating a middle-ware that would replace BURP Proxy it's only function would be to tack on NTLM authentication and pass the request to LANDesk 2. We also talked about installing a new LANDesk instance just for web services and various automation/integrations (this is the most likely candidate we would have gone with). On this one instance (website) we would allow basic authentication but secure it with SSL to encrypt the clear text password and ACLs to limit what hosts could access the website publishing the web service. On a side note, BURP Proxy is a pretty cool tool and something I am keeping handing to troubleshoot and profile web apps. HTH, Jason BURP Proxy: http://portswigger.net/burp/proxy.html Burp Proxy is an intercepting proxy server for security testing of web applications. It operates as a man-in-the-middle between your browser and the target application, allowing you to: * Intercept and modify all HTTP/S traffic passing in both directions. * Easily analyze all kinds of content, with automatic colorizing of request and response syntax, rendering of web content, and parsing of serialization schemes like AMF. * Apply fine-grained rules to determine which requests and responses are intercepted for manual testing. * View all traffic in the detailed proxy history, with advanced filters and search functions. * Send interesting items to other Burp Suite tools with a single click. * Save all of your work, and resume working later. * Quickly search and highlight interesting content within HTTP messages. * Work with custom SSL certificates and non-proxy-aware clients. * Define rules to automatically modify requests and responses without manual intervention. Burp Proxy provides the foundation for Burp Suite's user-driven workflow, allowing you to use an application in the normal way via your browser, and yet have full control of all its requests and responses. Using the proxy, you can quickly understand how the application works and start testing it manually, and you can also pass individual requests to other Burp tools for more advanced, customized and automated testing. On Fri, Jan 28, 2011 at 3:10 AM, Sergio Feito <sfe...@gmail.com> wrote: > ** Hi Jason > > I have the same problem consuming a web service with windows integrated > authentication. > Were you able to solve the problem? or it is a Remedy limitation. > > Best regards. > > 2010/3/24 Jason Miller <jason.mil...@gmail.com> > >> ** Hello List, >> >> >> We are working to consume a LANDesk web service to bring in asset >> information into the our CMDB (7.6). We are encountering an issue with >> authenticating to the LD server. They are using Windows integrated >> authentication to secure access the web service. We have tried using >> domain\username with no luck. >> >> Can Remedy use more than just basic authentication to consume a web >> service? I am sure somebody has come up against this before. >> >> Thanks, >> Jason >> >> ARS 7.5 p1 >> Windows 2008 x64 >> _attend WWRUG10 www.wwrug.com ARSlist: "Where the Answers Are"_ > > > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
