Pass NTLM with Postman
PostmanPostman Problem Overview
Is there a way to pass Windows Authentication
with postman
?
I have added this in header but still 401 Unauthorized
.
Authorization: NTLM TkFcYWRtaW46dGVzdA==
As suggested by this link. I've encrypted as Unicode (UTF-16, little-endian)
but of no use.
Any Ideas?
Postman Solutions
Solution 1 - Postman
I got this working by running Fiddler first.
- Run Fiddler (I'm using 4.6.2.3)
- Fiddler Menu: Rule -> Automatically Authenticate = true
- Postman: Check that Authorization type = No Auth
- Browse api.
Solution 2 - Postman
Solution 3 - Postman
I don't think there is a way to do that. But, you are not alone in wanting it...
https://github.com/postmanlabs/postman-app-support/issues/1137
[EDIT] As of the addition of this edit, Postman has NTLM Authentication in beta in their most recent release.
https://www.getpostman.com/docs/v6/postman/sending_api_requests/authorization
Solution 4 - Postman
I suggest using insomnia. It's free and you can see the documentation on how to add NTLM Auth here: https://insomnia.rest/documentation/authentication/
Solution 5 - Postman
NTLM authentication does work with the Chrome plugin version of Postman, as the built-in Chrome NTLM authentication can be used with the plugin. However, plugins are no longer supported by Chrome, so this version can no longer be installed and used.
The current app version of Postman (both the Chrome app and native app versions) does not support NTLM authentication.
Solution 6 - Postman
I will improve upon Hala
's answer as it is problematic due to storing credentials in the request and these might get persisted in a shared repository if one is used.
Clear credentials once a request has been successfully issued
One way is to enter the credentials - username, password and domain - make the request and remove them. Subsequent requests will work, probably due to using the same NTLM authentication header, as Postman will add a temporary Authorization header (blurred) that has a value like the following: NTLM some_base64_content
SSS
) to store sensitive data
Use environment variables (or better global ones as suggested by Define an environment to use and configure it similar to this:
Use configured environment variables in the request:
Solution 7 - Postman
You can also change internet options and set Logon to: Automatic logon with current user name and password
taken from: https://sysadminspot.com/windows/google-chrome-and-ntlm-auto-logon-using-windows-authentication/
if the website uses https you can add it to Trusted Sites and set it there, otherwise you can add it to local intranet sites and set Custom level... there.
Click Custom level... and scroll to bottom:
Solution 8 - Postman
This was added to the Postman application in 5.3.0. However, this support was broken in 5.4.1 and remained broken until 7.14.0 per Postman App issue #4355. Updating the app to a newer version of Postman should therefore allow using NTLM authentication.
Note that Postman currently only supports NTLMv1 authentication but not NTLMv2 per Postman App issue #8038.
Solution 9 - Postman
Postman now does NTLM on their desktop apps only.
Solution 10 - Postman
If you develop your API in C# you can use the following on your Base Controller
#if !DEBUG
[Authorize]
#endif