logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: New 2.4 Win32 Module for Windows Authentication
Author
neongrau



Joined: 24 Apr 2013
Posts: 8

PostPosted: Thu 04 Jul '13 14:23    Post subject: New 2.4 Win32 Module for Windows Authentication Reply with quote

Basically ported mod_auth_sspi for Apache 2.4 and added retry functionality if mistyped credentials were sent.

Sources at github:
https://github.com/YvesR/mod_authn_ntlm

Enjoy! Mr. Green
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Thu 04 Jul '13 14:28    Post subject: Reply with quote

Thanks! for contributing. I think you help a lot with it.

I added to the subject that it is for Win32 and placed a link on the Additional Download Page to this thread.

Looks like it is build with VC11, should not be an issue to use with Apache VC10.

Steffen

Good to place the Readme here too:

Apache 2.4 SSPI NTLM based authentication module for windows
Inspired by mod_auth_sspi project from Tim Castello tjcostel@users.sourceforge.net

Using the module from Tim worked only on Apache versions <2.4.

In addition to that if you misstype your credentials the Apache responded with a "incorrect credentials messages" and you need to close the browser to retry. If you used a Internet Explorer in the wrong domain a login would fail as well.

This version works on Apache 2.4 using NTLM authentication and asks for correct credentials for 3 times.

We needed that for our own and as many in the net were asking for a working version for Apache 2.4 we decided to share this project to the community.
Back to top
black_harry



Joined: 22 Feb 2010
Posts: 15
Location: Germany, Stuttgart

PostPosted: Mon 13 Jan '14 13:59    Post subject: Reply with quote

Thanks for contributing - I gave it a try but encountered some problems. I wanted to share my experiences for the case someone else has a similar requirement.

My config
Windows Server 2008 R2 x64:
Apache 2.4.7 x64 with mod_auth_ntlm (x64), both vc11 compiled.
Windows 7 x64:
Firefox 24.2 with IE-Tab 4.12.22.2

I set up the cgi-bin directory with an adjusted "printenv.pl" to serv the content with ntlm authentication - I used the settings from the example.

1. Connection problem
When connecting with Firefox + IE-Tab 4.12.22.2 the automatic authentication does not work. Sometimes the IE-Tab hangs at "Connecting...".

- If I restart the apache service the request is processed short before the service restart and the browser gets the result.
- If I reload the page the browser shows the reloaded page but I get an entry in the error-log:
    [mpm_winnt:warn] [pid 3720:tid 1048](OS 64)The specified network name is no longer available. : AH00341: winnt_accept: Asynchronous AcceptEx failed.

Using Apache 2.2 with mod_auth_sspi 1.0.4 or 1.0.5beta the automatic authentication works good.

The fix from the IE-Tab side does not help.
I do not know if the IE-Tab causes the problem or the mod_auth_ntlm. The only solution for me is to use Apache 2.2 until 2.4 can handle the mod_auth_ntlm authentication without page reload.

Adjusted printenv.pl to serv content to IE and IE-Tab:
Code:
#!c:/Perl64/bin/Perl.exe
##
##  printenv -- demo CGI program which just prints its environment
##

print "Content-type: text/html\n\n";
print "<html><head></head><body><pre>\n";
foreach $var (sort(keys(%ENV))) {
    $val = $ENV{$var};
    $val =~ s|\n|\\n|g;
    $val =~ s|"|\\"|g;
    print "${var}=\"${val}\"\n";
}
if ($ENV{"REQUEST_METHOD"} eq "POST") {
    use CGI;
    my $cgi = new CGI;
    my %param_list = $cgi->Vars;
    print "\nPost-Parameters:\n";
    for (sort keys %param_list) {
        print "$_=$param_list{$_}\n";
    }
}
print "</pre></body></html>\n";


2. Configuration problem
The example shows an entry that does not work:
    require sspi-user EMEA\group_name

If I use a group name, I have to use the entry
    require sspi-group EMEA\group_name


Using more than 1 group I was unable to authenticate against the 2nd, 3rd and other following groups.

Due to the code the
    require valid-user

should be written as
    require valid-sspi-user

Both versions seem to work.
Back to top
wm003



Joined: 24 Mar 2006
Posts: 88

PostPosted: Wed 15 Jan '14 11:35    Post subject: Reply with quote

Does this work with Kerberos(authtype negotiate) aswell? (the old 2.2 sspi does)
Back to top
philipT



Joined: 09 Apr 2014
Posts: 1
Location: UK, North Yorkshire

PostPosted: Thu 10 Apr '14 10:22    Post subject: Reply with quote

I have recently installed the mod_auth_ntlm module and have been using it but users are reporting a problem which is characterised by a POST of content length zero.

Looking on the web I have come across a post at

http://nosq.com/2008/fixing-mod_auth_sspi-and-ie-losing-post-data

which seems to detail the same problem describing it as "IE ... want(ing) to re-authenticate"

The code changes that have been suggested have do not appear in you own module.

Are you aware of this issue and would incorporation of this code be appropriate?

Following the reading of the article I have set NTLMPerRequestAuth to "on" which seems to resolve the problem. I'm afraid I am struggling to understand both the problem and the solution.
Back to top
neongrau



Joined: 24 Apr 2013
Posts: 8

PostPosted: Fri 20 Jun '14 14:19    Post subject: Reply with quote

philipT wrote:
Following the reading of the article I have set NTLMPerRequestAuth to "on" which seems to resolve the problem. I'm afraid I am struggling to understand both the problem and the solution.


I remember having the same problem a few years back.
While other browsers had no such issue the only solution was to globally enable NTLMPerRequestAuth sadly this gave a performance hit as each and every request was essentially tripled (intial request -> denied for auth, new auth request, handshake and final answer).

I later circumvented this by declaring only a specific location in the apache config for NTLM auth.
Any other part of the site would run without to minimize the overhead. The Back-End then handles authorization via session and only redirects the client to the NTLM auth when no proper user was present in the (server-side) session data.
Back to top
neongrau



Joined: 24 Apr 2013
Posts: 8

PostPosted: Fri 20 Jun '14 14:29    Post subject: Reply with quote

FYI: In case someone still using the old Apache 2.2 SSPI Module and now having issues with Firefox 30+

They disabled NTLM-v1 in Firefox 30+.

To re-enable you have to manually change "network.negotiate-auth.allow-insecure-ntlm-v1" to "true" in "about:config" in Firefox.

The mod_authn_ntlm for Apache 2.4 does not use the old v1 protocol and will work with Firefox 30+. So now is a good time to switch Wink
Back to top
dimagsv



Joined: 13 Aug 2014
Posts: 1
Location: Belarus, Minsk

PostPosted: Tue 19 Aug '14 14:11    Post subject: Reply with quote

Binary module is available for download here:
https://github.com/YvesR/mod_authn_ntlm/tree/master/bin

Other binaries (x86, x64, VC9, VC11) are available here:
http://www.apachehaus.com/cgi-bin/download.plx
Back to top


Reply to topic   Topic: New 2.4 Win32 Module for Windows Authentication View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules