NTLM / Kerberos auth support

Can I create a Java callout policy or some kind of custom code within Apigee to support NTLM auth?

May be a separate question, but can I also use a Java callout policy or some kind of custom code within Apigee to support Kerberos?

Any Ideas?

Examples?

1 5 1,941
5 REPLIES 5

Let me see if I can find someone to answer this question for you.. . ..

@linabelramirez ,

Recently, I have successfully done the NTLM / Kerberos Auth support for Apigee. Apigee acts as a server in first part & in second part Apigee acts like a client to access actual backend service.

We have done same for one of the largest financial services company & they are using it to expose their backend services which are protected by kerberos.

Here is the custom java policy that i have used, https://github.com/apigee/api-platform-samples/tree/master/sample-proxies/kerberos-credential-mediat... , It can be implemented only in Apigee Edge OPDK. Edge cloud has restrictions when it comes to 3rd party java callouts.

It's a difficult setup due to the complexity of kerberos. It's definitely possible to do & we have done same. Unfortunately, I have failed to capture detailed steps in documentation.

------------------------------------------------------------------------------------------------------------

Anil Sagar

5997-screen-shot-2017-11-23-at-75916-pm.png Learn Apigee Concepts in 4 Minutes HandsOn

Thanks Anil - is there anything that would work for an Edge cloud proxy attempting to connect to a backend (target) service that only accepts NTLM or Kerberos?

Possibly a different kind of callout or library that could be imported?

Note we only need to worry about NTLM with Apigee as the client. We will be authenticating incoming calls via Oauth.

@christophermarriage , Apigee Cloud has many restrictions in using the 3rd party libraries.

Unfortunately, Using the NTLM protocol & Java libraries that facilitates this communications needs config changes at the system level & Apigee Message Processor properties. We can't allow that on cloud due to security reasons.

You can't directly talk to NTLM from Apigee Edge Cloud but you can talk to some system securely which talks to NTLM. It's an additional hop that we have to live with it. As long as we secure that system with Apigee using future-proof mutual TLS we should be good.

We are already planning to do same on north bound (using oauth), We just have to do same on south bound & live with the additional hop for Apigee Edge cloud.

Hope it helps.

@Dino Thank you! If you can find anyone who can guide me in creating a Java callout policy to support NTLM auth, that would be ideal!