47

Is it possible to include the Windows domain credentials to test my web service with SOAP UI?

I found a properties page but the IIS just responses with "wrong credentials".

SteveC
  • 15,808
  • 23
  • 102
  • 173
Henrik P. Hessel
  • 36,243
  • 17
  • 80
  • 100
  • 1
    BurpSuite ProVersion has the 'do www authentication' area, not the freebie version. :( –  May 27 '10 at 22:16
  • 1
    soapUI does natively supports NTLMv1, but since many newer NTLM-based installation require NTLMv2 this is a great workaround, thanks for posting! /Ole eviware.com – olensmar Mar 19 '10 at 11:22

5 Answers5

58

SoapUI doesn't seem to work directly with NTLM authentication, but you can use a proxy such as Burp Suite to do the auth for you.

  1. Download Burp Suite from http://portswigger.net/burp/ and crank it up.
  2. On Burp's "Proxy : Intercept" tab, click the button to turn intercept off.
  3. On Burp's "Proxy : Options" tab, make sure it's set to an unused port, the default is 8081
  4. On Burp's "Options" tab, tick "do www authentication" and add a setting for the server you wish to hit. Also tick "prompt for credentials on authentication failure"
  5. Switch to Burp's "Proxy : History" tab so you can see requests going through.
  6. In SoapUI, choose File > Preferences, then select "Proxy Settings". Enter Host "localhost" and port "8081".
  7. Use SoapUI as normal. It will send requests through Burp Proxy, which will do the NTLM authentication for you.
Gaurav B
  • 661
  • 8
  • 9
Mike Mason
  • 596
  • 5
  • 3
  • Thanks for the response. This worked for me to query a Sharepoint list via soapUI. – Sarah Vessels Feb 05 '10 at 18:18
  • 1
    There is no "Comms" tab burp's current version. – Pedro Rolo May 06 '10 at 14:37
  • The "Comms" tab is "Options" in the current version. Wish I could edit others' posts already ;-) – Dennis G Oct 08 '10 at 11:13
  • 2
    I had a slightly different scenario in that my proxy server requires NTLM v2 authentication (HTTP Response code 407) instead of the web server. Using Burp with the "upstream proxy server" settings instead of the "do www authentication" in step 4 worked for me. – Martin Hollingsworth Mar 30 '11 at 06:17
  • Awesome, Mike, thank you! Charles proxy software will also do this as long as you're using HTTP 1.1. Just configure the SoapUI proxy settings to point to Charles and give it (SoapUI) your NTLM credentials. – John Berberich Apr 06 '11 at 21:00
  • In the new Burp v1.7.21, you have to tick "Override user options" under 'Project Options' tab and give the server settings there and rest of the steps are as given in the solution. This worked great. Thanks. – Abraham Roy Apr 28 '17 at 13:59
  • Couldn't make SoapUI 5.3.0 to correctly handle NTLM. With BurpSuite it worked! – mcanti Jul 15 '17 at 06:23
13

soapUI 4.5 just added support for NTLMv2 which negates the need for Burp Suite.

MadMoai
  • 188
  • 1
  • 8
  • 1
    even with the latest version of SoapUI/LoadUI 4.5.1, this still doesn't work - got it to work with BurpSuite... – Leon Nov 08 '12 at 10:43
  • 1
    Download nightly build, see my reply. – Fanda Apr 02 '13 at 12:29
  • 1
    I can't even get it to work with SoapUI 5.0.0. SoapUI sends the NTLM header, but it seems to be wrong as I get all 401s. – Patrick Szalapski Sep 04 '14 at 21:04
  • 5
    NTLM worked for me in SoapUI 5.3.0. It's necessary enable the option "Adds authentication information to outgoing request" in "HTTP Settings" tab of SoapUI Preferences. It's disabled by default. Then you must specify Username/Password in your request. – Sergey Enns Feb 17 '17 at 17:03
  • I do not want to explicitly set the credentials because soap UI saves these credentials in clear text in the xml. This is not acceptable. - Atul – Atul Sureka Feb 14 '18 at 04:05
  • @SergeyEnns answer is also working. No need for Fiddler2 or Burp – Gajotres Oct 05 '18 at 11:40
  • @SergeyEnns still not working for me. Returns 401 unauthorized still. WcfStorm auth is working. – Shiv Feb 13 '20 at 03:34
  • 2 years on, new machine, same issue. SoapUI 401 unauthorized. As per before WcfStorm working. Should selecting NTLM add anything to the header for auth? Because I see an auth header element with Basic but not NTLM or Kerberos. – Shiv Jan 27 '22 at 00:21
6

The accepted solution will work in most scenarios. If, however, the service uses delegation to access resources on other servers, you will run into a double-hop issue with the NTLM authentication the Burp proxy uses. The proxy will successfully authenticate to the service, but subsequent calls made by the service to other resources using delegation will fail.

The issue is described well in this article:

http://blogs.msdn.com/b/besidethepoint/archive/2010/05/09/double-hop-authentication-why-ntlm-fails-and-kerberos-works.aspx

The easiest workaround I found for this was to use Fiddler as a proxy. On Fiddler's Rules menu, select 'Automatically Authenticate.' Then update your SoapUI preferences to use fiddler as a proxy (the default location is localhost:8888). Now your calls will be wrapped in a credential that can be delegated.

If you use LoadUI to execute your SoapUI test cases, the SoapUI test runner will use your SoapUI proxy settings, and your calls will continue to work.

kiprainey
  • 3,241
  • 4
  • 29
  • 29
  • Where is "Automatically authenticate"? I don't see it in my rules menu. I am using Fiddler 4.4.7.1. – Patrick Szalapski Sep 04 '14 at 21:03
  • I'm on 4.4.9.2, and it's the third item from the bottom on my 'rules' menu. I'm not sure where it is in earlier versions. – kiprainey Sep 04 '14 at 21:23
  • I tried it but it did not work for me. I can see Fiddler capture the traffic & send couple of requests as it gets 401. But final response is still now 200. – Atul Sureka Feb 14 '18 at 09:37
  • I can confirm this solution is working, I have done it before I read this article. Now I'm looking for more direct solution. – Gajotres Oct 05 '18 at 11:37
1

Current release SoapUI 4.5.1 doesn't work with windows authentication, but nightly build version runs again well.

Download nightly build version

Fanda
  • 3,760
  • 5
  • 37
  • 56
1

I think SoapUI might only support NT authentication for the WSDL.

you can see some detail of how it is implemented here:

(BTW, this google search doesn't look promising for you!)

Colin Pickard
  • 45,724
  • 13
  • 98
  • 148