Tags:
create new tag
, view all tags

Windows Install with mod_ntlm

There are two different Apache modules which use NTLM for authentication. The one this page is about, is for Apache runnning on a Windows server. The second is for Apache running on a unix server within a Windows domain. (NTLM auth module for Apache/Unix)

Why?

Our intranet is Windows-based. I installed TWiki on the internal web server/file server/domain controller, which was running IIS. For the sake of buy-in, I set the edit scripts up to require NT authentication and left the view scripts unauthenticated. That way, everyone who was logged on to the domain (which is most people) would be automatically authenticated if they tried to edit, and anyone who wasn't had only to remember their domain login (and use IE or Mozilla 1.4+) to edit pages in TWiki.

The buy-in was beyond my expectations, but TWiki itself was barely limping along (see RcsOnW2K). When people started getting serious about TWiki, I felt I had to get RCS working. The only promising way to do that, in turn, was to switch from IIS to Apache and lose the NT authentication my users had come to expect.

That's where mod_ntlm comes in. I saw a reference to it somewhere here and tried to track it down. I set IIS to use a different port, then installed Apache, the cygwin utilites and TWiki (with a copy of my twiki data directories) according to the WindowsInstallCookbook, added the module, and voila!

Apache is doing NT authentication better than IIS was - it's letting in an XP user who kept having to authenticate under IIS. I still have IIS running on port 8080, just in case someone wants it.

mod_ntlm (Apache 1.3x)

The Apache module mod_ntlm is available for both Unix systems and Windows. It allows Apache to authenticate users using NT authentication instead of, or in addition to, basic authentication. This helps to avoid ForgettingPasswords and GettingTheUsernameWrong, which are both quite common issues with TWiki installations. -- [ RD ]

I set mod_ntlm up on a Windows 2000 server and configured TWiki to use NT authentication only. I give detailed instructions on doing so below; alternately, one could figure it out using the information at the Syneapps site - http://www.syneapps.com/software/mod_ntlm/, which includes a FAQ and a basic installation guide.

I used mod_ntlm version 1.3, Apache/1.3.24 (Win32), Windows 2000 Server, Cygwin RCS, Cygwin Perl, and TWiki Production Release 01 Dec 2001. The mod_ntlm module itself requires at least Apache version 1.3.20 and Windows NT.

Installation

These instructions assume you have a working setup produced by WindowsInstallCookbook.

  1. Download "mod_ntlm-1.3.zip" from http://www.gknw.net/development/apache/apache-1.3/win32/modules/
  2. Extract mod_ntlm-1.3/bin-1.3/mod_ntlm.so from the archive. You don't need any of the other files.
  3. Put mod_ntlm.so into c:\Apache\modules\
  4. Edit c:\Apache\conf\httpd.conf as follows:
    • At the end of the list of LoadModule commands (they're probably all commented out), add the line:
      LoadModule ntlm_module modules/mod_ntlm.so
    • At the end of the list of AddModule commands add the line:
      AddModule mod_ntlm.c
  5. Restart Apache.
  6. Edit c:\twiki\bin\.htaccess as follows (example below):
    • Leave the Redirect commands, if any.
    • Comment out the AuthUserFile and AuthName lines (or remove them)
    • Change AuthType Basic to AuthType NTLM
    • Add a line below that one that says NTLMAuth On
    • Add a line below that one that says NTLMAuthoritative On

That's it. If you want to change the authentication on the individual scripts, you don't need to repeat the AuthType line, just change the Files information to require valid-user or allow from all, as desired. Keep in mind that NT authentication works only with IE on Windows, so it's probably wise to leave the view script unauthenticated.

This is what my bin/.htaccess file looks like, more or less:


Redirect /index.html http://my.domain.com/bin/view

#AuthUserFile c:/twiki/data/.htpasswd
#AuthName ByPassword
AuthType NTLM

NTLMAuth On
NTLMAuthoritative On
#NTLMOfferBasic On

SetHandler cgi-script

The rest of the file is the same as distributed.

Adding NTLMOfferBasic

I didn't manage to add the basic authentication option, which allows you to use either kind of authentication. From what I read, you would have to set Apache to run as a user, then configure that user account in a certain way that was not adequately specified in the mod_ntlm FAQ. If anyone has done it, I'd like to hear how it went.

-- MaryDeMarco - 18 Apr 2002

Very interesting - I don't have access to an NT/Win2000 server, but it could still be useful to authenticate users of laptop TWikis. I've added a comment near the top.

-- RichardDonkin - 21 Apr 2002

Following the above instructions on XP with cygwin 5.1 and Apache 1.3.x I was unable to restart my apache server.

Using net start or apache restart didn't generate any meaningful errors, but running the exe directly generated the following error:

Syntax error in line 194. Cannot load /c/Apache/modules/mod_ntlm.so  (5) Access denied

This slightly misleading error was finally tracked down to file ownership and permissions. I simply used chmod and chown to match the other files in the directory after running ls -al.

Note cygwin's ls output often has a '+' (plus) at the end which is an attempt by Cygwin to indicate windows alc's - I matched all the ownership and permissions except for the + and my apache started without a murmur.

-- SteveMayes - 03 Feb 2005


mod_auth_sspi (Apache 2.x)

This configuration is working for MattWilkie, circa summer 2003:

  • Cygwin as per the WindowsInstallCookbook (I'm using cygwin-perl 5.8 but there are some oddities I haven't tracked down; you may want to stick to 5.6)

  • mod_auth_sspi from http://www.gknw.net/development/apache/httpd-2.0/win32/modules/ (see comments below for newer versions),
    • put *.h in $apache-dir/include, *.so in $apache-dir/bin, whoami in $apache-dir/cgi-bin. You don't need the rest of the files. Add the LoadModule line to httpd.conf as described in the Install.
    • add Include c:/twiki/etc/apache2.conf to the end of c:\apache2\conf\httpd.conf
    • use my_cfg.txt from the mod_auth_sspi distribution archive as a model for c:/twiki/etc/apache2.conf .A full verstion of mine is attached, relevant excerpt:
<Directory "C:/twiki">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
    AuthName "Login using your DOMAIN username and password"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIOfferBasic On
    require valid-user
</Directory>

This setup requires all visitors be authenticated even for viewing. It works with IE5+ and Mozilla 1.4+. I haven't tried with any other browsers except lynx, which fails.

IE users don't have to login, TransparentAuthentication at last.

To change the rendering of usernames from 'DOMAIN\jhsmith' to 'jhsmith', apply the ntlm-username.patch (Along with this there is an "unrecognized escape" error in the Apache log. See LoginNameAndNtlm for details. The patch fixes both.)

To change Users.jhsmith into a hyperlink to the users personal preferences topic, apply the UseLoginNames patch.

-- MattWilkie - 30 Jul 2003

mod_auth_sspi (> Apache 2.0)

I am using Apache 2.2.4 as provided by the Windows installer for TWiki 4.2, and it should be noted that (as of this writing) download the link provided above for mod_auth_sspi only supports Apache 2.0.

For newer versions of Apache, download "mod_auth_sspi-1.0.4-2.2.3-w32.zip" from the official site. That name implies "Apache 1.0.4 to 2.2.3", but the module works on any Apache 2.2.x (reference).

By the way, I was using mod_ntlm (Apache 1.3x / TWiki 4.1) until now, and mod_auth_sspi is much faster. But I'm also using ActiveState Perl instead of cygwin, so I don't know for sure where the speed-up came from.

-- SeanCMorgan - 12 Mar 2008


Older discusssion, refactoring fodder

I'm a quick learner, and after studying the TWiki perl code I could answer my question:) I had to change the username on the Main.TWikiUsers page to reflect the whole login name, SEEKER\David in my case. SSPI does work, and this is exactly what I wanted, no popup, no more password, only Windoz. Rulez. See my installation on TWikiOnWindowsKnownConfigurations

-- DavidKosa - 04 May 2002

Yes, the incorrect username is something you need to watch out for. It usually happens when the users fill in what they think are their usernames (mdemarco) instead of the machine-qualified version (ICT\mdemarco), so they're not really registered under the NT name. If you force NT authentication on the registration page, then TWiki will fill in the correct username for them and you're guaranteed the right registration - but the only way I know of to do that is to authenticate the whole view script. I have people viewing from other browsers, though, so it's not practical for me to force NT authentication for view.

I'm curious - does SSPI do Basic Authentication with Apache running as LocalSystem? I have some people using Linux and I'd like to be able to allow basic authentication for them.

-- MaryDeMarco - 06 May 2002

I've been able to get mod_auth_sspi to work with Apache 2.0.39 (native win32, not Cygwin) but unable to get it to fall back to basic authentication if it fails. My .htaccess looks like:

## ---- mod_auth_sspi ----
AuthName "Local Intranet"
AuthType SSPI
SSPIAuth On

# set to 'off' to allow access control to be passed 
# along to lower modules if the UserID is not known to 
# this module. [from the source code]
SSPIOfferSSPI Off


SSPIAuthoritative Off
## ---- end mod_auth_sspi ----    

# The path here must be a file pathname, not a URL - first part should match 
# the $dataDir setting in TWiki.cfg
AuthUserFile C:/Docs/www/doe/data/.htpasswd
AuthName ByPassword
AuthType Basic

with this block added further in so view doesn't need to be authenticated:

<Files "view">
       allow from all
</Files>

SSPI works like a charm. There is quite a feeling of gratification to simply slap edit and see your NT username at the bottom of the edit textarea, with no messy intervening prompts.

However there is a marked lag after hitting edit (or preview, or attach, or ...). I am assuming because of the time it takes to authenticate against the login server (about 5 kilometers away from me). There must be no cache. Presumably if the webserver was a domain controller there would be a lesser delay.

There are some errors in the apache error log, so perhaps the latency is from something else:

[Thu Jun 27 16:35:45 2002] [error] [client 199.247.173.70] \ 
[Fri Jun 28 00:35:45 2002] save: Unrecognized escape \m passed \ 
through before HERE mark in regex m/^Main.YNET\m << HERE hwilkie$/ \ 
at ../lib/TWiki/Access.pm line 177., referer: \ 
http://rhino/bin/preview/TWiki/WelcomeGuest 

And of course it only works for IE. L:(

-- MattWilkie - 27 Jun 2002

NTLMBasicPreferred Off
NTLMOfferBasic On

seemed to work for me to make it offer basic to netscape users. Note that the netscape users have to enter their name as domain\username.

-- BobSmart - 05 Sep 2002

Mozilla 1.4 has NTLM authentication! http://mozilla.org/releases/mozilla1.4rc2/#new

-- MattWilkie - 20 Jun 2003

Matt - I got the same Unrecognized escape 'passed through before HERE' error that you did. Did you find a solution?

-- MartinCleaver - 16 Jul 2003

The unrecognised escape error is now fixed and the domain name is stripped from the login name. Still not working is the conversion from login name (aka username) to WikiName. See LoginNameAndNtlm.

Also fixed are the extremely long time lags. I dunno how this got fixed, too many things are different: new server, new office, new OS, new browsers, new everything. :P

No update on Fall back to Basic authentication: now that Mozilla can use NTLM and Netscape is officially dead it's not such a big issue. At some point I will go back and retry this so text only browsers like lynx will work but I have other things to solve first.

Am now using Apache-win32 2.0.47 and Cygwin-perl v5.8 on this install.

-- MattWilkie - 24 Jul 2003



added config details for Apache2 mod_auth_sspi. Some more refactoring would be useful

-- MattWilkie - 30 Jul 2003

Anyone got mod_ntlm working with mod_perl? I've managed to install the two modules, but when I go to save a page after editing, I get a 'You need to register page' with what looks like a http header at the top. If I then refresh the page, the save occurs successfully. Anyone got any ideas?

-- NathanReeves - 03 Oct 2003

Okay scratch the above problem. Take a look at ExtraneousLineInHttpHeader for a fix. Appears to raise it's head when using mod_perl.

-- NathanReeves - 03 Oct 2003

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatconf apache.conf r1 manage 1.6 K 2003-07-30 - 19:55 MattWilkie matt's working apache2+sspi config
Compressed Zip archivezip mod_ntlm-1.31.zip r1 manage 23.4 K 2004-06-15 - 19:46 EthanBeisher From www.gknw.net
Edit | Attach | Watch | Print version | History: r22 < r21 < r20 < r19 < r18 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r22 - 2008-03-12 - SeanCMorgan
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2015 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.