94

Is there a way to pass Windows Authentication with postman?

I have added this in header but still 401 Unauthorized.

Authorization: NTLM TkFcYWRtaW46dGVzdA==

As suggested by this link. I've encrypted as Unicode (UTF-16, little-endian) but of no use.

Any Ideas?

Jim G.
  • 15,141
  • 22
  • 103
  • 166
  • 1
    I think there are two aspects to consider here: authentication against a proxy or authentication against the target server. – Constantino Cronemberger Apr 16 '18 at 18:56
  • Sept 2022 ... Although Postman now has BETA support for NTLM authentication, it doesn't work. Confirmed with Fiddler that Postman wasn't sending any authentication headers through. The only work-around was to use Fiddler to do auth. – Jason Glover Sep 16 '22 at 01:30
  • @JasonGlover: I disagree. This solution work flawlessly for me. I encourage you to try again: https://stackoverflow.com/a/47749312/109941 – Jim G. Oct 05 '22 at 13:02

10 Answers10

119

I got this working by running Fiddler first.

  1. Run Fiddler (I'm using 4.6.2.3)
  2. Fiddler Menu: Rule -> Automatically Authenticate = true
  3. Postman: Check that Authorization type = No Auth
  4. Browse api.
PabloBlamirez
  • 2,692
  • 3
  • 18
  • 14
  • in my case it seems that I need to run fiddler all the time in the background, any workaround for this? I don't want to leave fiddler open, it's too heavy – ghiscoding Jun 12 '17 at 18:36
  • 1
    Yes you do need to run fiddler while you are testing your api. I don't know of a way of doing it without fiddler. – PabloBlamirez Jun 13 '17 at 09:12
  • 1
    For NTLM authentication against a proxy you will need to use this workaround until this issue is fixed: https://github.com/postmanlabs/postman-app-support/issues/3692 – Constantino Cronemberger Apr 16 '18 at 19:00
  • 2
    although I still do not know why only this works. It has helped me with testing for now. thank you very much. – Eakan Gopalakrishnan Jan 23 '20 at 15:17
  • I plan on printing this, framing it, and submitting it to the louvre as a work of art. Thanks Pablo – MarkB Jun 30 '22 at 18:14
  • Sept 2022 ... Although Postman now has BETA support for NTLM authentication, it doesn't work. Confirmed with Fiddler that Postman wasn't sending any authentication headers through. This work-around works. – Jason Glover Sep 16 '22 at 01:30
76

you can use the the NTLM authorization exist in the Authorization tab same as this photo

enter image description here

Hala
  • 941
  • 7
  • 4
  • 11
    Just remember to include the domain in its field instead of `Username` – Tonatio Mar 08 '18 at 16:21
  • 3
    I tried it, it still gives me 401 unauthorized error. I am accessing to SharePoint 2010 hosted Web API – Xiao Han Jun 20 '18 at 18:50
  • Check the settings of postman turn all settings to "off" This worked for me – George Jun 21 '18 at 16:23
  • @XiaoHan follow Tonatio and include the domain in its field instead of Username – sujit tiwari Jul 01 '19 at 05:47
  • 2
    Please be careful using this! If you don't use variables (as the GUI in the screen shot already suggests, see [Alexei's answer](https://stackoverflow.com/a/54308228) for this) your password is logged in a recognizable textual way. (In `C:\Users\...\AppData\Roaming\Postman\IndexedDB\file__0.indexeddb.leveldb\000NNN.log`) It is also stored somewhere, as it is restored for subsequent requests. – Yahoo Serious Apr 02 '20 at 13:52
  • It does not work even with domain name. IIS 8.0 returns 401 always – Igor Apr 22 '21 at 16:20
  • For people using more recent versions of Postman (v9.9.3 in my case) going against more recent versions of Windows, your issue could be that Postman doesn't currently support NTLMv2. See the [Postman 401 Unathorized using NTLM blog post](https://web.archive.org/web/20220119201440/https://mejustandrew.medium.com/postman-401-unathorized-using-ntlm-a996fbf072bf) for more info on the issue and this [Postman issue/enhancement request](https://github.com/postmanlabs/postman-app-support/issues/8038) to track progress on the fix. – csrowell Jan 19 '22 at 20:20
37

I don't think there is a way to do that. But, you are not alone in wanting it...

https://github.com/postmanlabs/postman-app-support/issues/1137

[EDIT] As of the addition of this edit, Postman has NTLM Authentication in beta in their most recent release.

https://www.getpostman.com/docs/v6/postman/sending_api_requests/authorization

Community
  • 1
  • 1
Spiralis
  • 3,232
  • 2
  • 39
  • 53
  • 5
    It seems v5.3.0 will have this feature. An update on the issue thread just came in. – RBT Oct 09 '17 at 08:55
  • Works for me with v5.3.2! – Matt Varblow Oct 26 '17 at 13:13
  • 2
    Looks like it is broken again. The issues are all closed but it is not working with version 6.0.10. The answer that suggests using Fiddler works. – Constantino Cronemberger Apr 16 '18 at 18:46
  • This appears to be the active bug on it that is still open. https://github.com/postmanlabs/postman-app-support/issues/4355 – Jim Jul 12 '18 at 20:33
  • 1
    Please be careful using this! If you don't use variables (as the GUI suggests) your password is logged in a recognizable textual way. (In `C:\Users\...\AppData\Roaming\Postman\IndexedDB\file__0.indexeddb.leveldb\000NNN.log`) – Yahoo Serious Mar 03 '20 at 15:45
  • It is also stored somewhere, as it is restored for subsequent requests. For variable-usage with screen shot, see [Alexei's answer](https://stackoverflow.com/a/54308228). – Yahoo Serious Apr 02 '20 at 13:54
10

I suggest using insomnia. It's free and you can see the documentation on how to add NTLM Auth here: https://insomnia.rest/documentation/authentication/

Moch Yusup
  • 1,266
  • 14
  • 14
3

NTLM authentication does work with the Chrome plugin version of Postman, as the built-in Chrome NTLM authentication can be used with the plugin. However, plugins are no longer supported by Chrome, so this version can no longer be installed and used.

The current app version of Postman (both the Chrome app and native app versions) does not support NTLM authentication.

M. Justin
  • 14,487
  • 7
  • 91
  • 130
  • 1
    This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post. - [From Review](/review/low-quality-posts/16566821) – Peter Hall Jun 29 '17 at 20:13
  • 1
    @PeterHall How about if it were recast as "NTLM authentication does work with the older Postman Chrome plugin ..."? The question isn't specifically calling out that it's the Chrome app (though one can guess that's what the asker was using). – M. Justin Jun 29 '17 at 20:26
  • 2
    @PeterHall Thanks for the improvement suggestions. I updated my answer accordingly. – M. Justin Jun 29 '17 at 20:36
3

This was added to the Postman application in 5.3.0. However, this support was broken in 5.4.1 and remained broken until 7.14.0 per Postman App issue #4355. Updating the app to a newer version of Postman should therefore allow using NTLM authentication.

Note that Postman currently only supports NTLMv1 authentication but not NTLMv2 per Postman App issue #8038.

M. Justin
  • 14,487
  • 7
  • 91
  • 130
2

I will improve upon Hala's answer as it is problematic due to storing credentials in the request and these might get persisted in a shared repository if one is used.

Clear credentials once a request has been successfully issued

One way is to enter the credentials - username, password and domain - make the request and remove them. Subsequent requests will work, probably due to using the same NTLM authentication header, as Postman will add a temporary Authorization header (blurred) that has a value like the following: NTLM some_base64_content

Use environment variables (or better global ones as suggested by SSS) to store sensitive data

Define an environment to use and configure it similar to this:

Configure environment

Use configured environment variables in the request:

Request authorization data

Alexei - check Codidact
  • 22,016
  • 16
  • 145
  • 164
  • 2
    Great answer. A small improvement is to store the credentials in Global variables, rather than an environment. That way you can share the environment with your team. – SSS Dec 03 '19 at 06:37
  • @SSS - yes. I posted this answer when NTLM support was still in its infancy (a scenario even managed to crash Postman). Back then it was way easier to use the deprecated Chrome extension to benefit from Windows auth without doing anyhing. – Alexei - check Codidact Dec 03 '19 at 07:20
1

You can also change internet options and set Logon to: Automatic logon with current user name and password

taken from: https://sysadminspot.com/windows/google-chrome-and-ntlm-auto-logon-using-windows-authentication/

if the website uses https you can add it to Trusted Sites and set it there, otherwise you can add it to local intranet sites and set Custom level... there.

Open internet options: Open internet options

Click Custom level... and scroll to bottom:

Click Custom level... and scroll to bottom

pajics
  • 2,938
  • 3
  • 23
  • 27
0

Postman now does NTLM on their desktop apps only.

velocity_distance
  • 88
  • 1
  • 10
-9

If you develop your API in C# you can use the following on your Base Controller

#if !DEBUG 
   [Authorize] 
#endif
loona70
  • 1
  • I want to get current user name while executing the API call. How are you gonna achieve that by disabling Authorize? – cdev Nov 08 '18 at 01:57
  • @cdev, at the time of that response, Postman didn't yet support NTLM. There are much better options _now_, but there weren't then. – Hank Schultz Mar 24 '21 at 14:18