Login/Register
Pass NTLM with Postman
Asked Answered
Solved postmanwindows-authenticationntlm-authentication
B

10

94

Is there a way to pass Windows Authentication with postman?

I have added this in header but still 401 Unauthorized.

Authorization: NTLM TkFcYWRtaW46dGVzdA==

As suggested by this link. I've encrypted as Unicode (UTF-16, little-endian) but of no use.

Any Ideas?

Burny answered 20/5, 2016 at 8:8 Comment(3)
I think there are two aspects to consider here: authentication against a proxy or authentication against the target server.Statolith
Sept 2022 ... Although Postman now has BETA support for NTLM authentication, it doesn't work. Confirmed with Fiddler that Postman wasn't sending any authentication headers through. The only work-around was to use Fiddler to do auth.Heathcote
@JasonGlover: I disagree. This solution work flawlessly for me. I encourage you to try again: https://mcmap.net/q/223333/-pass-ntlm-with-postmanBethought
N
37

I don't think there is a way to do that. But, you are not alone in wanting it...

https://github.com/postmanlabs/postman-app-support/issues/1137

[EDIT] As of the addition of this edit, Postman has NTLM Authentication in beta in their most recent release.

https://www.getpostman.com/docs/v6/postman/sending_api_requests/authorization

Nitro answered 21/7, 2016 at 17:14 Comment(6)
It seems v5.3.0 will have this feature. An update on the issue thread just came in.Crossquestion
Works for me with v5.3.2!Faraday
Looks like it is broken again. The issues are all closed but it is not working with version 6.0.10. The answer that suggests using Fiddler works.Statolith
This appears to be the active bug on it that is still open. github.com/postmanlabs/postman-app-support/issues/4355Prolix
Please be careful using this! If you don't use variables (as the GUI suggests) your password is logged in a recognizable textual way. (In C:\Users\...\AppData\Roaming\Postman\IndexedDB\file__0.indexeddb.leveldb\000NNN.log)Court
It is also stored somewhere, as it is restored for subsequent requests. For variable-usage with screen shot, see Alexei's answer.Court
V
119

I got this working by running Fiddler first.

  1. Run Fiddler (I'm using 4.6.2.3)
  2. Fiddler Menu: Rule -> Automatically Authenticate = true
  3. Postman: Check that Authorization type = No Auth
  4. Browse api.
Victualer answered 11/11, 2016 at 8:50 Comment(6)
in my case it seems that I need to run fiddler all the time in the background, any workaround for this? I don't want to leave fiddler open, it's too heavyInterruption
Yes you do need to run fiddler while you are testing your api. I don't know of a way of doing it without fiddler.Victualer
For NTLM authentication against a proxy you will need to use this workaround until this issue is fixed: github.com/postmanlabs/postman-app-support/issues/3692Statolith
although I still do not know why only this works. It has helped me with testing for now. thank you very much.Aten
I plan on printing this, framing it, and submitting it to the louvre as a work of art. Thanks PabloFideicommissary
Sept 2022 ... Although Postman now has BETA support for NTLM authentication, it doesn't work. Confirmed with Fiddler that Postman wasn't sending any authentication headers through. This work-around works.Heathcote
L
76

you can use the the NTLM authorization exist in the Authorization tab same as this photo

enter image description here

Lumbard answered 11/12, 2017 at 9:0 Comment(7)
Just remember to include the domain in its field instead of UsernameBombardon
I tried it, it still gives me 401 unauthorized error. I am accessing to SharePoint 2010 hosted Web APINarrow
Check the settings of postman turn all settings to "off" This worked for meAdkinson
@XiaoHan follow Tonatio and include the domain in its field instead of UsernameWellappointed
Please be careful using this! If you don't use variables (as the GUI in the screen shot already suggests, see Alexei's answer for this) your password is logged in a recognizable textual way. (In C:\Users\...\AppData\Roaming\Postman\IndexedDB\file__0.indexeddb.leveldb\000NNN.log) It is also stored somewhere, as it is restored for subsequent requests.Court
It does not work even with domain name. IIS 8.0 returns 401 alwaysPediment
For people using more recent versions of Postman (v9.9.3 in my case) going against more recent versions of Windows, your issue could be that Postman doesn't currently support NTLMv2. See the Postman 401 Unathorized using NTLM blog post for more info on the issue and this Postman issue/enhancement request to track progress on the fix.Sessoms
N
37

I don't think there is a way to do that. But, you are not alone in wanting it...

https://github.com/postmanlabs/postman-app-support/issues/1137

[EDIT] As of the addition of this edit, Postman has NTLM Authentication in beta in their most recent release.

https://www.getpostman.com/docs/v6/postman/sending_api_requests/authorization

Nitro answered 21/7, 2016 at 17:14 Comment(6)
It seems v5.3.0 will have this feature. An update on the issue thread just came in.Crossquestion
Works for me with v5.3.2!Faraday
Looks like it is broken again. The issues are all closed but it is not working with version 6.0.10. The answer that suggests using Fiddler works.Statolith
This appears to be the active bug on it that is still open. github.com/postmanlabs/postman-app-support/issues/4355Prolix
Please be careful using this! If you don't use variables (as the GUI suggests) your password is logged in a recognizable textual way. (In C:\Users\...\AppData\Roaming\Postman\IndexedDB\file__0.indexeddb.leveldb\000NNN.log)Court
It is also stored somewhere, as it is restored for subsequent requests. For variable-usage with screen shot, see Alexei's answer.Court
T
10

I suggest using insomnia. It's free and you can see the documentation on how to add NTLM Auth here: https://insomnia.rest/documentation/authentication/

Theran answered 26/7, 2017 at 7:32 Comment(2)
I've been unable to get Postman 7.2.2 to work with NTLM. I finally gave up and tried Insomnia, and it works just fine the first time.Coincidence
New URL: support.insomnia.rest/article/174-authenticationReveal
C
3

NTLM authentication does work with the Chrome plugin version of Postman, as the built-in Chrome NTLM authentication can be used with the plugin. However, plugins are no longer supported by Chrome, so this version can no longer be installed and used.

The current app version of Postman (both the Chrome app and native app versions) does not support NTLM authentication.

Carrizales answered 12/6, 2017 at 21:51 Comment(3)
This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post. - From ReviewDorene
@PeterHall How about if it were recast as "NTLM authentication does work with the older Postman Chrome plugin ..."? The question isn't specifically calling out that it's the Chrome app (though one can guess that's what the asker was using).Carrizales
@PeterHall Thanks for the improvement suggestions. I updated my answer accordingly.Carrizales
C
3

This was added to the Postman application in 5.3.0. However, this support was broken in 5.4.1 and remained broken until 7.14.0 per Postman App issue #4355. Updating the app to a newer version of Postman should therefore allow using NTLM authentication.

Note that Postman currently only supports NTLMv1 authentication but not NTLMv2 per Postman App issue #8038.

Carrizales answered 23/1, 2019 at 18:40 Comment(0)
D
2

I will improve upon Hala's answer as it is problematic due to storing credentials in the request and these might get persisted in a shared repository if one is used.

Clear credentials once a request has been successfully issued

One way is to enter the credentials - username, password and domain - make the request and remove them. Subsequent requests will work, probably due to using the same NTLM authentication header, as Postman will add a temporary Authorization header (blurred) that has a value like the following: NTLM some_base64_content

Use environment variables (or better global ones as suggested by SSS) to store sensitive data

Define an environment to use and configure it similar to this:

Configure environment

Use configured environment variables in the request:

Request authorization data

Dentation answered 22/1, 2019 at 12:21 Comment(2)
Great answer. A small improvement is to store the credentials in Global variables, rather than an environment. That way you can share the environment with your team.Taxpayer
@Taxpayer - yes. I posted this answer when NTLM support was still in its infancy (a scenario even managed to crash Postman). Back then it was way easier to use the deprecated Chrome extension to benefit from Windows auth without doing anyhing.Dentation
C
1

You can also change internet options and set Logon to: Automatic logon with current user name and password

taken from: https://sysadminspot.com/windows/google-chrome-and-ntlm-auto-logon-using-windows-authentication/

if the website uses https you can add it to Trusted Sites and set it there, otherwise you can add it to local intranet sites and set Custom level... there.

Open internet options: Open internet options

Click Custom level... and scroll to bottom:

Click Custom level... and scroll to bottom

Cown answered 4/7, 2017 at 16:15 Comment(0)
R
0

Postman now does NTLM on their desktop apps only.

Rossuck answered 9/7, 2018 at 21:34 Comment(0)
J
-9

If you develop your API in C# you can use the following on your Base Controller

#if !DEBUG 
   [Authorize] 
#endif
Japeth answered 27/10, 2017 at 6:35 Comment(2)
I want to get current user name while executing the API call. How are you gonna achieve that by disabling Authorize?Remittance
@cdev, at the time of that response, Postman didn't yet support NTLM. There are much better options now, but there weren't then.Monosome

© 2022 - 2024 — McMap. All rights reserved.