GET request works in browser, but I get Unauthorized when using Postman

First, login into CRM and leave the tab sitting there.

Go into POSTMan

Enable the Interceptor (see image) interceptor

Enter the URL and hit SEND, just like that. POSTMan will take care of cookies and headers on its own, and you'll see the results.

If you logout from CRM, POSTMan will obviously no longer be able to issue the requests and will return 401 instead.


It seems like the server you are calling requires RFC 4559 (https://tools.ietf.org/html/rfc4559) authentication. More details here: https://en.wikipedia.org/wiki/SPNEGO.

The way it works in the case of a GET request from the browser:

  1. Browser requests the required page
  2. The server responds with HTTP 401 (Unauthorized) and provides a response header WWW-Authenticate: Negotiate. This tell the browser that RFC 4559 authentication is required.
  3. The browser makes sure the site has permissions for this action (details on configuration here: https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM). Most sites will not be allowed to request such authorization without being explicitly white-listed.
  4. If permitted, the browser requests a Kerboros ticket from the domain's Active Directory.
  5. Active Directory responds with a ticket.
  6. The browser forward the ticker to the server (via the Authotizarion: Negotiate xxxxx header that you see).
  7. The server interacts with the same Active Directory and turns that ticket into username and groups/permissions information.

I am not aware of a tool that will let you do this (simulate a browser) if you are trying to automate requests against the server (which is probably an internal/intranet company site). Your best course of action may be some form of scripting (like VBS) which will use IE via COM and possibly handle this authentication for you (I have not done this, so not sure if it will indeed work).