Windows Install with mod_ntlm
There are two different Apache modules which use NTLM for authentication. The one this page is about, is for Apache runnning on a Windows server. The second is for Apache running on a unix server within a Windows domain. (NTLM auth module for Apache/Unix
Our intranet is Windows-based. I installed TWiki on the internal web server/file server/domain controller, which was running IIS. For the sake of buy-in, I set the edit scripts up to require NT authentication and left the view scripts unauthenticated. That way, everyone who was logged on to the domain (which is most people) would be automatically authenticated if they tried to edit, and anyone who wasn't had only to remember their domain login (and use IE or Mozilla 1.4+) to edit pages in TWiki.
The buy-in was beyond my expectations, but TWiki itself was barely limping along (see RcsOnW2K
). When people started getting serious about TWiki, I felt I had to get RCS
working. The only promising way to do that, in turn, was to switch from IIS to Apache and lose the NT authentication my users had come to expect.
That's where mod_ntlm comes in. I saw a reference to it somewhere here and tried to track it down. I set IIS to use a different port, then installed Apache, the cygwin utilites and TWiki (with a copy of my twiki data directories) according to the WindowsInstallCookbook
, added the module, and voila!
Apache is doing NT authentication better than IIS was - it's letting in an XP user who kept having to authenticate under IIS. I still have IIS running on port 8080, just in case someone wants it.
mod_ntlm (Apache 1.3x)
The Apache module
is available for both Unix systems and Windows. It allows Apache to authenticate users using NT authentication instead of, or in addition to, basic authentication. This helps to avoid ForgettingPasswords and GettingTheUsernameWrong, which are both quite common issues with TWiki installations. -- [ RD ]
I set mod_ntlm up on a Windows 2000 server and configured TWiki to use NT authentication only. I give detailed instructions on doing so below; alternately, one could figure it out using the information at the Syneapps site - http://www.syneapps.com/software/mod_ntlm/
, which includes a FAQ and a basic installation guide.
I used mod_ntlm version 1.3, Apache/1.3.24 (Win32), Windows 2000 Server, Cygwin RCS
, Cygwin Perl, and TWiki Production Release 01 Dec 2001. The mod_ntlm module itself requires at least Apache version 1.3.20 and Windows NT.
These instructions assume you have a working setup produced by WindowsInstallCookbook
- Download "mod_ntlm-1.3.zip" from http://www.gknw.net/development/apache/apache-1.3/win32/modules/
mod_ntlm-1.3/bin-1.3/mod_ntlm.so from the archive. You don't need any of the other files.
c:\Apache\conf\httpd.conf as follows:
- Restart Apache.
c:\twiki\bin\.htaccess as follows (example below):
- Leave the
Redirect commands, if any.
- Comment out the
AuthName lines (or remove them)
AuthType Basic to
- Add a line below that one that says
- Add a line below that one that says
That's it. If you want to change the authentication on the individual scripts, you don't need to repeat the AuthType
line, just change the
allow from all
, as desired. Keep in mind that NT authentication works only with IE on Windows, so it's probably wise to leave the view script unauthenticated.
This is what my bin/.htaccess file looks like, more or less:
Redirect /index.html http://my.domain.com/bin/view
The rest of the file is the same as distributed.
I didn't manage to add the basic authentication option, which allows you to use either kind of authentication. From what I read, you would have to set Apache to run as a user, then configure that user account in a certain way that was not adequately specified in the mod_ntlm FAQ. If anyone has done it, I'd like to hear how it went.
- 18 Apr 2002
Very interesting - I don't have access to an NT/Win2000 server, but it could still be useful to authenticate users of laptop TWikis. I've added a comment near the top.
- 21 Apr 2002
Following the above instructions on XP with cygwin 5.1 and Apache 1.3.x I was unable to restart my apache server.
Using net start or apache restart didn't generate any meaningful errors, but running the exe directly generated the following error:
Syntax error in line 194. Cannot load /c/Apache/modules/mod_ntlm.so (5) Access denied
This slightly misleading error was finally tracked down to file ownership and permissions. I simply used
chmod and chown to match the other files in the directory after running
cygwin's ls output often has a '+' (plus) at the end which is an attempt by Cygwin to indicate windows alc's - I matched all the ownership and permissions except
for the + and my apache started without a murmur.
- 03 Feb 2005
mod_auth_sspi (Apache 2.x)
This configuration is working for MattWilkie
, circa summer 2003:
- Cygwin as per the WindowsInstallCookbook (I'm using cygwin-perl 5.8 but there are some oddities I haven't tracked down; you may want to stick to 5.6)
- mod_auth_sspi from http://www.gknw.net/development/apache/httpd-2.0/win32/modules/ (see comments below for newer versions),
$apache-dir/cgi-bin. You don't need the rest of the files. Add the
LoadModule line to
httpd.conf as described in the
Include c:/twiki/etc/apache2.conf to the end of
my_cfg.txt from the mod_auth_sspi distribution archive as a model for
c:/twiki/etc/apache2.conf .A full verstion of mine is attached, relevant excerpt:
Allow from all
AuthName "Login using your DOMAIN username and password"
This setup requires all visitors be authenticated even for viewing. It works with IE5+ and Mozilla 1.4+. I haven't tried with any other browsers except lynx, which fails.
IE users don't have to login, TransparentAuthentication
To change the rendering of usernames from 'DOMAIN\jhsmith' to 'jhsmith', apply the ntlm-username.patch
(Along with this there is an "unrecognized escape" error in the Apache log. See LoginNameAndNtlm
for details. The patch fixes both.)
To change Users.jhsmith
into a hyperlink to the users personal preferences topic, apply the UseLoginNames
- 30 Jul 2003
mod_auth_sspi (> Apache 2.0)
I am using Apache 2.2.4 as provided by the Windows installer for TWiki 4.2, and it should be noted that (as of this writing) download the link provided above for mod_auth_sspi only supports Apache 2.0.
For newer versions of Apache, download "mod_auth_sspi-1.0.4-2.2.3-w32.zip" from the official site
. That name implies "Apache 1.0.4 to 2.2.3", but the module works on any Apache 2.2.x (reference
By the way, I was using mod_ntlm (Apache 1.3x / TWiki 4.1) until now, and mod_auth_sspi is much
faster. But I'm also using ActiveState
Perl instead of cygwin, so I don't know for sure where the speed-up came from.
- 12 Mar 2008
Older discusssion, refactoring fodder
I'm a quick learner, and after studying the TWiki perl code I could answer my question:) I had to change the username on the Main.TWikiUsers page to reflect the whole login name, SEEKER\David in my case. SSPI does work, and this is exactly what I wanted, no popup, no more password, only Windoz. Rulez.
See my installation on TWikiOnWindowsKnownConfigurations
- 04 May 2002
Yes, the incorrect username is something you need to watch out for. It usually happens when the users fill in what they think are their usernames (
) instead of the machine-qualified version (
), so they're not really registered under the NT name. If you force NT authentication on the registration page, then TWiki will fill in the correct username for them and you're guaranteed the right registration - but the only way I know of to do that is to authenticate the whole view script. I have people viewing from other browsers, though, so it's not practical for me to force NT authentication for view.
I'm curious - does SSPI do Basic Authentication with Apache running as LocalSystem
? I have some people using Linux and I'd like to be able to allow basic authentication for them.
- 06 May 2002
I've been able to get mod_auth_sspi
to work with Apache 2.0.39 (native win32, not Cygwin) but unable to get it to fall back to basic authentication if it fails. My .htaccess looks like:
## ---- mod_auth_sspi ----
AuthName "Local Intranet"
# set to 'off' to allow access control to be passed
# along to lower modules if the UserID is not known to
# this module. [from the source code]
## ---- end mod_auth_sspi ----
# The path here must be a file pathname, not a URL - first part should match
# the $dataDir setting in TWiki.cfg
with this block added further in so
doesn't need to be authenticated:
allow from all
SSPI works like a charm. There is quite a feeling of gratification to simply slap
and see your NT username at the bottom of the edit textarea, with no messy intervening prompts.
However there is a marked lag after hitting edit (or preview, or attach, or ...). I am assuming because of the time it takes to authenticate against the login server (about 5 kilometers away from me). There must be no cache. Presumably if the webserver was a domain controller there would be a lesser delay.
There are some errors in the apache error log, so perhaps the latency is from something else:
[Thu Jun 27 16:35:45 2002] [error] [client 18.104.22.168] \
[Fri Jun 28 00:35:45 2002] save: Unrecognized escape \m passed \
through before HERE mark in regex m/^Main.YNET\m << HERE hwilkie$/ \
at ../lib/TWiki/Access.pm line 177., referer: \
And of course it only works for IE. L:(
- 27 Jun 2002
seemed to work for me to make it offer basic to netscape users. Note that the netscape users have to enter their name as domain\username.
- 05 Sep 2002
Mozilla 1.4 has NTLM authentication! http://mozilla.org/releases/mozilla1.4rc2/#new
- 20 Jun 2003
Matt - I got the same Unrecognized escape 'passed through before HERE' error that you did. Did you find a solution?
- 16 Jul 2003
The unrecognised escape error is now fixed and the domain name is stripped from the login name. Still not working is the conversion from login name (aka username) to WikiName. See LoginNameAndNtlm
Also fixed are the extremely long time lags. I dunno how this got fixed, too many things are different: new server, new office, new OS, new browsers, new everything. :P
No update on Fall back to Basic authentication: now that Mozilla can use NTLM and Netscape is officially dead it's not such a big issue. At some point I will go back and retry this so text only browsers like lynx will work but I have other things to solve first.
Am now using Apache-win32 2.0.47 and Cygwin-perl v5.8 on this install.
- 24 Jul 2003
added config details for Apache2 mod_auth_sspi. Some more refactoring would be useful
- 30 Jul 2003
Anyone got mod_ntlm working with mod_perl? I've managed to install the two modules, but when I go to save a page after editing, I get a 'You need to register page' with what looks like a http header at the top. If I then refresh the page, the save occurs successfully. Anyone got any ideas?
- 03 Oct 2003
Okay scratch the above problem. Take a look at ExtraneousLineInHttpHeader
for a fix. Appears to raise it's head when using mod_perl.
- 03 Oct 2003