I still cannot authenticate the api. The orchestrator admin is out of my control. So, my question is: Is there a setting or anything in the orchestrator which needs to be set to enable api access using NTLM?
I can log using the UI with no problem. I also get an NTLM token when using postman.
You reference Orchestrator 2016 in the documentation link. I can only really comment on 2018.3 as that is what we are currently using in house.
There are two methods to authenticate
If you are signing into Orchestrator using the HTML form then you are using a local account, if you are auto-logged in or click the Windows logo below the HTML form then you are authenticating using your domain account via Windows Authentication/NTLM.
The primary difference here is with the local account authentication you must call the Authenticate endpoint passing your credentials in the body of the POST request, from there you provide the returned bearer token as an Authorization header in each request after that.
Using a domain account (Windows Authentication) you skip the Authenticate endpoint and ensure that the NTLM token is passed along, if doing this from a Windows host or many applications this can be passed along automatically if the domain your Orchestrator is hosted in is trusted by the client being used.
As for what can be managed on Orchestrator:
Whether or not domain authentication is enabled (WindowsAuth.Enabled)
Domain to authenticate with (WindowsAuth.Domain)
Auto-login is enabled or not (WindowsAuth.AutoLogin.Enabled)
Roles/Permissions - The same roles and permissions are used by both the UI and API (The UI is just making its own requests to the API)
Test it out using the Swagger interface /swagger, if you have Windows Authentication enabled, you’ll be able to use the swagger interface to make some test queries to the API.
Other things to keep in mind is
Your local client authentication. i.e. If you are using an application that relies in the Internet Options (IE, Chrome, etc.) and the domain isn’t trusted then you might not be passing your authentication along.
The user you are authenticating with is it the same account that has permissions in Orchestrator? You might need to override the credentials being passed along using the Windows Credential Manager.
IIS hosting Orchestrator should also be configured appropriately.