EDIT: this issue has been closed in 15 Dec. 2022 and released with the 10.6.x Postman version.
Lately I’ve faced an authentication issue with Postman that I’ve never experienced before and it was quite challenging to find its root cause, so let me share it with you.
I was working on an infrastructure where the server application was hosted under IIS using Windows authentication, having NTLM as a provider. Everything worked until one day when it didn’t. In the meantime nothing changed in the requests that I was making, which looked somehow like the one below:
Notice the 200 status and the fact that I am getting a nice response in return.
From one day, the requests that everybody made through Postman started failing with a 401 Unauthorized error. In order to troubleshoot it, I’ve tried making the same request through curl
curl.exe http://enterprisesharepoint -v --ntlm --negotiate -u USER123:PASSWORD123
To my complete surprise, the curl request worked so it had to be something related to Postman only. Note: I’ve taken the curl request from this post on StackOverflow, but added the .exe at the end of curl, because running this from Powershell will make it use Invoke-WebRequest which has a different signature.
Days later, digging into this, I’ve been able to find that Postman had a bug related to NTLM authentication when multiple authentication headers were returned from the server. The servers usually return Negotiate and NTLM so it’s quite common and it was my case too, but then again, the bug on the Postman Github page got fixed so I should have not received this error anymore.
Following the conversation in that issue to the bottom of it, you can see somebody else having the same issue, but for a specific case: NTLMv2
And that’s right, Postman does return 401 Unauthorized when the server application only accepts NTLMv2
Looking into the other issue related to authentication support for NTLMv2 you can see that this is the case, and a lot of people complaining about the missing support for it, in a tool that is free.
Okay, the only thing left to check is if you are enforcing NTLMv2 or not.
This check is quite easy to do if you have access to the application server that you are calling in your request. Just login to that server, go to Local Security Policy -> Local Policies -> Security Options and look for the Network security: Lan Manager authentication level. If it’s set to Send NTLMv2 response only. Refuse LM & NTLM then you found the root cause why Postman is not able to authenticate. It only works for NTLM.
That was it, troubleshooting this issue took me a couple of days, but if I would face something like this again, will take me much less time. I believe having plenty of experiences like the one described here is what shapes a software engineer.
And as a note regarding Postman lack of support for NTLMv2, I know it may be frustrating, but keep in mind that it is still a free software, and even more, NTLM is still in Beta for it so use it grateful as I am for you reading my article.
Thanks a lot!