NTLM Authentication in PL/SQL -- Part 1 Project Overview

Goal:
Be able to call a SQL Server Web Service (SSRS) that used NTLM authentication from a PL/SQL package. End goal is to communicate from an Oracle 11g Database to SQL Server Reporting Server using SOAP (Simple Object Access Protocol) to return data that we cant currently get due to the expensive driver required to create a DB link between the Oracle and SQL Server.

Problem:
NTLM is a Microsoft proprietary authentication system and doesn't play nice with PL/SQL developers. Currently (11g r2) Oracle does not offer support for NTLM authentication, in Java however, that is a different story.

Steps I've taken:
-Use SoapUI to send requests to the web service. SoapUI is a handy program that provides an XML template for creating your SOAP requests and then displays the response in cleanly formatted XML. SoapUI also supports various authentication methods including Basic Authentication (plain text password exchange) and NTLM v1, which is what the web service I'm working with requires.

-Use Wireshark (a great open-source packet analyzer) to observe the NTLM authentication process and get an understanding of what needs to be done. Wireshark can decode the NTLM auth tokens pretty well but I ran into some quirks, mostly incorrectly showing the location in the packet where certain information was derived from. Despite some initial frustration due to skewed data, Wireshark was absolutely instrumental in this project.

-Start the long tedious process of replicating the NTLM auth tokens. There are three important tokens in this process that make up the authentication 'handshake.' The client sends the first token with basic information about itself excluding the password, the servers responds with a token with a challenge (a seemingly random 8-byte hex string), and then the client takes obfuscates the password with this challenge and send the third token back with it. This process requires lots of low-level programming, and we will be attempting in a very high-level language, PL/SQL.

-Fail. Yep, after a week of programming and testing, I can replicate the NTLM auth tokens down to the BIT. Yet I still get an 'Unauthorized' response. Bummer, I fully believe that this can work but I am getting held up by either a network firewall that is protecting the Oracle DB and not protecting my desktop, or the Microsoft web service simply refuses to accept requests from a Linux box (where the DB resides) but will from my Windows 7 desktop. I think this needs to revisited but in order to keep this project moving forward I will try switching to Java to for the authentication.

-Success! From PL/SQL I call a stored Java source and pass it my credentials along with the soap message I want to sent the web service. Java handles the authentication by creating an SSL connection and java.net.Authenticator does the rest of the NTLM magic for you. It's too bad really how simple it is in Java.

Note: Some responses from web services are larger then a PL/SQL VARCHAR2 (32k) for this I used a clob. The constructor for a clob is protected in Java because they want you to use it in conjunction with a java.sql.ResultSet. In order to overcome this problem I passed an initialized clob from PL/SQL to Java, wrote in it, then passed it back.

8 comments:

  1. TonyAugust 2, 2011 at 10:47 AM

    Is there any chance that you would be willing to share your java procedure for this. I am trying to interface with SharePoint web services and have run into this same authentication issue.

    I, like you, have tried various different things inside the request header but have yet to get this to work. I thought about a java stored procedure as well but that was as far as I got since I don't currently have enough java knowledge to put this together.

    ReplyDelete
  2. Morten BratenAugust 3, 2011 at 6:06 AM

    Hi,

    seems we have been working on the same problem, and I've got a working solution.

    See my blog post:

    http://ora-00001.blogspot.com/2011/08/ntlm-for-plsql.html


    - Morten

    ReplyDelete
  3. RossAugust 4, 2011 at 9:21 PM

    Tony, yes, I can send you that code. Im actually camping right now but Ill get that to you in the next couple days. If you need it before then, in another post on this blog I post the structure that you need for the basis of your java source. You will need to create a class that implements Authenticator and also a certificate manager that will accept all SSL certs (if I didn't use https I got a 'server redirected too many times' error). I got solutions to each of these by googling ntlm authentication. Don't forget to allow access to the sharepoint server on your oracle DBs ACL (access control list). While trying to connect, I got oracle errors telling me to grant access to the java source for the ip and port of the server I was connecting to. I forget the specific permissions to grant but they were returned in an error and you can just copy/paste them. I recommend, that in order to debug the java, put you code in a try-catch block and return your errors.

    Good luck.

    ReplyDelete
  4. RossAugust 8, 2011 at 4:19 PM

    You know what Tony, I actually was just talking with my boss and he advised me not to post any more specific code before the higher-ups approve it. If you have any questions, though, I'd be glad to help.

    ReplyDelete
  5. jedJanuary 16, 2013 at 10:14 PM

    Hi Ross,
    Just wondering if you can share this code now? I'm desperately looking for ways to call Sharepoint webservice (using NTLM authentication) from Oracle database. I don't have Apex installed so I cannot use Morten's solution above.

    Hope to hear from you.

    Thanks!

    ReplyDelete
  6. RossJanuary 18, 2013 at 12:21 AM

    Sorry I actually dont work there and dont have access to the codebase anymore, I can say thought that we did not get a PL/SQL solution for NTLM auth despite pretty intelligent resources. Had to pass a clob to Java source for it to send and receive. then pass the result back to PL/SQL. Good luck sorry I cant be more help.

    ReplyDelete
  7. jedJanuary 20, 2013 at 8:05 PM

    Hi Ross,

    Thank you for the reply.
    Just want to update that I was able to implement the PL/SQL (using UTL_HTTP) NTLM authentication using Morten's solution.
    http://ora-00001.blogspot.com/2011/08/ntlm-for-plsql.html

    ReplyDelete
  8. UnknownJune 10, 2013 at 4:51 AM

    interesting piece of information, I had come to know about your web-page from my friend pramod, jaipur,i have read atleast eight posts of yours by now, and let me tell you, your blog gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanks a million once again, Regards, sql and plsql difference

    ReplyDelete

Subscribe to: Post Comments (Atom)