Receiving a 401 http response when consuming a Web Services that requires pre-emptive basic authentication

Version 2
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    Remedy AR System Server


    AR System Mid Tier


    Web Services 9.0/9.1, 18x, 19x, Basic Authentication , NTLM,NTLM(windows authentication), integration


    When consuming an external web service through Remedy ARSystem (via a filter or escalation), you may need to provide Basic Authentication credentials to the external web server that is hosting the external soap web service. The filter/escalation does provide a "Login" button to provide those Basic authentication credentials. However, there are 2 methods in which the client can provide these credentials, and the web server may require one or the other.

    1) Challenge/Response: The client is not expected to provide any credentials on the initial request. The server will challenge the client, then the client will respond with the credentials.
    2) Preemptive: The client is expected to provide the Basic authentication credentials on the initial request. For example, it will need to contain this header initially:

         Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

    In Remedy ARSystem 9.x, the system will default to using Challenge/Response Basic Authentication. This means it will not provide the Authorization header initially. Some web servers will fail this type of request.



     BMC Remedy integration supports Basic Authentication and not NTLM(windows authentication).

    For versions 9.0 SP1 and 9.1 and higher, this problem has been fixed in the latest hotfix (at the time of this writing, it would be hotfixes dated 2/17 or later).
    There is a new configurable property added that allows you to specify which Endpoint URL's you would like to use Preemptive Authentication. You can add the following entry into ar.cfg (or into the Centralized Configuration).


    The value is a semi-colon separated list of Endpoint URL's. For example:
         WebSvc-FilterAPI-Wsse-Use-Preemptive-Auth-Endpoints: https://ws1/test; http://ws2/test2

    When the Filter or Escalation is executed and the Login credentials are populated, the Remedy server will check this list of endpoint URL's and set the Basic Authentication to Preemptive if the Endpoint URL matches.
    NOTE: When adding this property, you will need to restart the ARServer process or do an ARReload for it to reload the configuration.

    Depending on your midtier version, you may also need to modify the axis2.xml file.   Please refer to this article:

    Article Number:


    Article Type:


      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles