I am finding conflicting posts on whether OutSystems supports the ability to call a remote REST API with windows credentials passed in the call, also know as "integrated" or "NTLM" authentication. One article I found said its not supported out of the box, another says it is supported if the environment is setup for it. Can anyone give me a definitive answer on this? My own tests have found it doesn't work, I just get the 401 unauthorized because the "authentication negotiate" header was not passed in the header of the call. Just to clarify, this is to consume a REST API, not expose one. I have found plenty of posts on the latter that are unrelated to my issue.

Hello Jason.

Regarding "Integrated Authentication" using windows credentials, it will work ONLY if the server that is exposing the REST service is in the same network as the application that is consuming the web service (afaik). Otherwise, it is not possible to "delegate" the credentials.

If you are consuming a remote REST service (another network), the delegation (passing of the user logged credentials) is not done.

In this case, you will have to resort to consume the REST service through an extension, getting the user credentials to pass them to the remote web service.


In our case they are on the same network and same active directory domain. We get a 401 unauthorized because the call requires the "Authorization" header and that is missing. When I watch a browser do this, it does not initially send the "Authorization" header on first call, so it gets a 401 back and then sends a second request with the header. It does that negotiation once and then remembers it for as long as the browser is open. 

There is one gotcha though, most browsers only operate this way with local intranet sites, and they assume any site with a period in the name is not part of the local intranet. This is only an issue because we use fully qualified host names which include a few periods. To work around this we have to add these sites to the local intranet list in IE for the site to be treated as local intranet. Both IE, Edge and Chrome all read that list to "know" which sites to treat at local intranet. I did not figure this was the case with OutSystems since its coming from service side code and not a browser. 

I was hoping there was a way to specify in the setup of the API to consume to specify sending authentication, but it appears you are saying it should work this way by default?

Hello Jason. 

I'm sorry. I didn't received the alert on your comment.

I was pointed that Rest does not do integrated authentication in the platform, only Soap (Don't know how I missed this).

There is a component in the forge that seems to teach how to do this using an extension. But I never used...