Windows Install with mod_ntlm
There are two different Apache modules which use NTLM for authentication. The one this page is about, is for Apache runnning on a Windows server. The second is for Apache running on a unix server within a Windows domain. (
NTLM auth module for Apache/Unix)
Why?
Our intranet is Windows-based. I installed TWiki on the internal web server/file server/domain controller, which was running IIS. For the sake of buy-in, I set the edit scripts up to require NT authentication and left the view scripts unauthenticated. That way, everyone who was logged on to the domain (which is most people) would be automatically authenticated if they tried to edit, and anyone who wasn't had only to remember their domain login (and use IE or Mozilla 1.4+) to edit pages in TWiki.
The buy-in was beyond my expectations, but TWiki itself was barely limping along (see
RcsOnW2K). When people started getting serious about TWiki, I felt I had to get
RCS working. The only promising way to do that, in turn, was to switch from IIS to Apache and lose the NT authentication my users had come to expect.
That's where mod_ntlm comes in. I saw a reference to it somewhere here and tried to track it down. I set IIS to use a different port, then installed Apache, the cygwin utilites and TWiki (with a copy of my twiki data directories) according to the
WindowsInstallCookbook, added the module, and
voila!
Apache is doing NT authentication better than IIS was - it's letting in an XP user who kept having to authenticate under IIS. I still have IIS running on port 8080, just in case someone wants it.
mod_ntlm (Apache 1.3x)
The Apache module
mod_ntlm
is available for both Unix systems and Windows. It allows Apache to authenticate users using NT authentication instead of, or in addition to, basic authentication.
This helps to avoid ForgettingPasswords and GettingTheUsernameWrong, which are both quite common issues with TWiki installations. -- [ RD ]
I set mod_ntlm up on a Windows 2000 server and configured TWiki to use NT authentication only. I give detailed instructions on doing so below; alternately, one could figure it out using the information at the Syneapps site -
http://www.syneapps.com/software/mod_ntlm/, which includes a FAQ and a basic installation guide.
I used mod_ntlm version 1.3, Apache/1.3.24 (Win32), Windows 2000 Server, Cygwin
RCS, Cygwin Perl, and TWiki Production Release 01 Dec 2001. The mod_ntlm module itself requires at least Apache version 1.3.20 and Windows NT.
Installation
These instructions assume you have a working setup produced by
WindowsInstallCookbook.
- Download "mod_ntlm-1.3.zip" from http://www.gknw.net/development/apache/apache-1.3/win32/modules/
- Extract
mod_ntlm-1.3/bin-1.3/mod_ntlm.so
from the archive. You don't need any of the other files.
- Put
mod_ntlm.so
into c:\Apache\modules\
- Edit
c:\Apache\conf\httpd.conf
as follows:
- Restart Apache.
- Edit
c:\twiki\bin\.htaccess
as follows (example below):
- Leave the
Redirect
commands, if any.
- Comment out the
AuthUserFile
and AuthName
lines (or remove them)
- Change
AuthType Basic
to AuthType NTLM
- Add a line below that one that says
NTLMAuth On
- Add a line below that one that says
NTLMAuthoritative On
That's it. If you want to change the authentication on the individual scripts, you don't need to repeat the
AuthType line, just change the
Files
information to
require valid-user
or
allow from all
, as desired. Keep in mind that NT authentication works only with IE on Windows, so it's probably wise to leave the view script unauthenticated.
This is what my bin/.htaccess file looks like, more or less:
Redirect /index.html http://my.domain.com/bin/view
#AuthUserFile c:/twiki/data/.htpasswd
#AuthName ByPassword
AuthType NTLM
NTLMAuth On
NTLMAuthoritative On
#NTLMOfferBasic On
SetHandler cgi-script
The rest of the file is the same as distributed.
Adding NTLMOfferBasic
I didn't manage to add the basic authentication option, which allows you to use either kind of authentication. From what I read, you would have to set Apache to run as a user, then configure that user account in a certain way that was not adequately specified in the mod_ntlm FAQ. If anyone has done it, I'd like to hear how it went.
--
MaryDeMarco - 18 Apr 2002
Very interesting - I don't have access to an NT/Win2000 server, but it could still be useful to authenticate users of laptop TWikis. I've added a comment near the top.
--
RichardDonkin - 21 Apr 2002
Following the above instructions on XP with cygwin 5.1 and Apache 1.3.x I was unable to restart my apache server.
Using net start or apache restart didn't generate any meaningful errors, but running the exe directly generated the following error:
Syntax error in line 194. Cannot load /c/Apache/modules/mod_ntlm.so (5) Access denied
This slightly misleading error was finally tracked down to file ownership and permissions. I simply used
chmod and chown to match the other files in the directory after running
ls -al
.
Note cygwin's ls output often has a '+' (plus) at the end which is an attempt by Cygwin to indicate windows alc's - I matched all the ownership and permissions
except for the + and my apache started without a murmur.
--
SteveMayes - 03 Feb 2005
mod_auth_sspi (Apache 2.x)
This configuration is working for
MattWilkie, circa summer 2003:
- Cygwin as per the WindowsInstallCookbook (I'm using cygwin-perl 5.8 but there are some oddities I haven't tracked down; you may want to stick to 5.6)
- mod_auth_sspi from http://www.gknw.net/development/apache/httpd-2.0/win32/modules/ (see comments below for newer versions),
- put
*.h
in $apache-dir/include
, *.so
in $apache-dir/bin
, whoami
in $apache-dir/cgi-bin
. You don't need the rest of the files. Add the LoadModule
line to httpd.conf
as described in the Install
.
- add
Include c:/twiki/etc/apache2.conf
to the end of c:\apache2\conf\httpd.conf
- use
my_cfg.txt
from the mod_auth_sspi distribution archive as a model for c:/twiki/etc/apache2.conf
.A full verstion of mine is attached, relevant excerpt:
<Directory "C:/twiki">
AllowOverride None
Options None
Order allow,deny
Allow from all
AuthName "Login using your DOMAIN username and password"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
require valid-user
</Directory>
This setup requires all visitors be authenticated even for viewing. It works with IE5+ and Mozilla 1.4+. I haven't tried with any other browsers except lynx, which fails.
IE users don't have to login,
TransparentAuthentication at last.
To change the rendering of usernames from 'DOMAIN\jhsmith' to 'jhsmith', apply the
ntlm-username.patch (Along with this there is an "unrecognized escape" error in the Apache log. See
LoginNameAndNtlm for details. The patch fixes both.)
To change
Users.jhsmith into a hyperlink to the users personal preferences topic, apply the
UseLoginNames patch.
--
MattWilkie - 30 Jul 2003
mod_auth_sspi (> Apache 2.0)
I am using Apache 2.2.4 as provided by the Windows installer for TWiki 4.2, and it should be noted that (as of this writing) download the link provided above for mod_auth_sspi only supports Apache 2.0.
For newer versions of Apache, download "mod_auth_sspi-1.0.4-2.2.3-w32.zip" from the
official site. That name implies "Apache 1.0.4 to 2.2.3", but the module works on any Apache 2.2.x (
reference).
By the way, I was using mod_ntlm (Apache 1.3x / TWiki 4.1) until now, and mod_auth_sspi is
much faster. But I'm also using
ActiveState Perl instead of cygwin, so I don't know for sure where the speed-up came from.
--
SeanCMorgan - 12 Mar 2008
Older discusssion, refactoring fodder
I'm a quick learner, and after studying the TWiki perl code I could answer my question:) I had to change the username on the Main.TWikiUsers page to reflect the whole login name, SEEKER\David in my case. SSPI does work, and this is exactly what I wanted, no popup, no more password, only Windoz. Rulez.
See my installation on
TWikiOnWindowsKnownConfigurations
--
DavidKosa - 04 May 2002
Yes, the incorrect username is something you need to watch out for. It usually happens when the users fill in what they think are their usernames (
mdemarco
) instead of the machine-qualified version (
ICT\mdemarco
), so they're not really registered under the NT name. If you force NT authentication on the registration page, then TWiki will fill in the correct username for them and you're guaranteed the right registration - but the only way I know of to do that is to authenticate the whole view script. I have people viewing from other browsers, though, so it's not practical for me to force NT authentication for view.
I'm curious - does SSPI do Basic Authentication with Apache running as
LocalSystem? I have some people using Linux and I'd like to be able to allow basic authentication for them.
--
MaryDeMarco - 06 May 2002
I've been able to get
mod_auth_sspi to work with Apache 2.0.39 (native win32, not Cygwin) but unable to get it to fall back to basic authentication if it fails. My .htaccess looks like:
## ---- mod_auth_sspi ----
AuthName "Local Intranet"
AuthType SSPI
SSPIAuth On
# set to 'off' to allow access control to be passed
# along to lower modules if the UserID is not known to
# this module. [from the source code]
SSPIOfferSSPI Off
SSPIAuthoritative Off
## ---- end mod_auth_sspi ----
# The path here must be a file pathname, not a URL - first part should match
# the $dataDir setting in TWiki.cfg
AuthUserFile C:/Docs/www/doe/data/.htpasswd
AuthName ByPassword
AuthType Basic
with this block added further in so
view
doesn't need to be authenticated:
<Files "view">
allow from all
</Files>
SSPI works like a charm. There is quite a feeling of gratification to simply slap
edit
and see your NT username at the bottom of the edit textarea, with no messy intervening prompts.
However there is a marked lag after hitting edit (or preview, or attach, or ...). I am assuming because of the time it takes to authenticate against the login server (about 5 kilometers away from me). There must be no cache. Presumably if the webserver was a domain controller there would be a lesser delay.
There are some errors in the apache error log, so perhaps the latency is from something else:
[Thu Jun 27 16:35:45 2002] [error] [client 199.247.173.70] \
[Fri Jun 28 00:35:45 2002] save: Unrecognized escape \m passed \
through before HERE mark in regex m/^Main.YNET\m << HERE hwilkie$/ \
at ../lib/TWiki/Access.pm line 177., referer: \
http://rhino/bin/preview/TWiki/WelcomeGuest
And of course it only works for IE. L:(
--
MattWilkie - 27 Jun 2002
NTLMBasicPreferred Off
NTLMOfferBasic On
seemed to work for me to make it offer basic to netscape users. Note that the netscape users have to enter their name as domain\username.
--
BobSmart - 05 Sep 2002
Mozilla 1.4 has NTLM authentication!
http://mozilla.org/releases/mozilla1.4rc2/#new
--
MattWilkie - 20 Jun 2003
Matt - I got the same Unrecognized escape 'passed through before HERE' error that you did. Did you find a solution?
--
MartinCleaver - 16 Jul 2003
The unrecognised escape error is now fixed and the domain name is stripped from the login name. Still not working is the conversion from login name (aka username) to WikiName. See
LoginNameAndNtlm.
Also fixed are the extremely long time lags. I dunno how this got fixed, too many things are different: new server, new office, new OS, new browsers, new everything. :P
No update on Fall back to Basic authentication: now that Mozilla can use NTLM and Netscape is officially dead it's not such a big issue. At some point I will go back and retry this so text only browsers like lynx will work but I have other things to solve first.
Am now using Apache-win32 2.0.47 and Cygwin-perl v5.8 on this install.
--
MattWilkie - 24 Jul 2003
added config details for Apache2 mod_auth_sspi. Some more refactoring would be useful
--
MattWilkie - 30 Jul 2003
Anyone got mod_ntlm working with mod_perl? I've managed to install the two modules, but when I go to save a page after editing, I get a 'You need to register page' with what looks like a http header at the top. If I then refresh the page, the save occurs successfully. Anyone got any ideas?
--
NathanReeves - 03 Oct 2003
Okay scratch the above problem. Take a look at
ExtraneousLineInHttpHeader for a fix. Appears to raise it's head when using mod_perl.
--
NathanReeves - 03 Oct 2003