| Author |
|
neongrau
Joined: 24 Apr 2013
Posts: 8
|
 Posted: Thu 04 Jul '13 14:23 Post subject: New 2.4 Win32 Module for Windows Authentication |
 |
|
Basically ported mod_auth_sspi for Apache 2.4 and added retry functionality if mistyped credentials were sent.
Sources at github:
https://github.com/YvesR/mod_authn_ntlm
Enjoy!  |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Thu 04 Jul '13 14:28 Post subject: |
|
|
Thanks! for contributing. I think you help a lot with it.
I added to the subject that it is for Win32 and placed a link on the Additional Download Page to this thread.
Looks like it is build with VC11, should not be an issue to use with Apache VC10.
Steffen
Good to place the Readme here too:
Apache 2.4 SSPI NTLM based authentication module for windows
Inspired by mod_auth_sspi project from Tim Castello tjcostel@users.sourceforge.net
Using the module from Tim worked only on Apache versions <2.4.
In addition to that if you misstype your credentials the Apache responded with a "incorrect credentials messages" and you need to close the browser to retry. If you used a Internet Explorer in the wrong domain a login would fail as well.
This version works on Apache 2.4 using NTLM authentication and asks for correct credentials for 3 times.
We needed that for our own and as many in the net were asking for a working version for Apache 2.4 we decided to share this project to the community. |
|
| Back to top |
|
black_harry
Joined: 22 Feb 2010
Posts: 15
Location: Germany, Stuttgart
|
| Posted: Mon 13 Jan '14 13:59 Post subject: |
|
|
Thanks for contributing - I gave it a try but encountered some problems. I wanted to share my experiences for the case someone else has a similar requirement.
My config
Windows Server 2008 R2 x64:
Apache 2.4.7 x64 with mod_auth_ntlm (x64), both vc11 compiled.
Windows 7 x64:
Firefox 24.2 with IE-Tab 4.12.22.2
I set up the cgi-bin directory with an adjusted "printenv.pl" to serv the content with ntlm authentication - I used the settings from the example.
1. Connection problem
When connecting with Firefox + IE-Tab 4.12.22.2 the automatic authentication does not work. Sometimes the IE-Tab hangs at "Connecting...".
- If I restart the apache service the request is processed short before the service restart and the browser gets the result.
- If I reload the page the browser shows the reloaded page but I get an entry in the error-log:
[mpm_winnt:warn] [pid 3720:tid 1048](OS 64)The specified network name is no longer available. : AH00341: winnt_accept: Asynchronous AcceptEx failed.
Using Apache 2.2 with mod_auth_sspi 1.0.4 or 1.0.5beta the automatic authentication works good.
The fix from the IE-Tab side does not help.
I do not know if the IE-Tab causes the problem or the mod_auth_ntlm. The only solution for me is to use Apache 2.2 until 2.4 can handle the mod_auth_ntlm authentication without page reload.
Adjusted printenv.pl to serv content to IE and IE-Tab:
| Code: | #!c:/Perl64/bin/Perl.exe
##
## printenv -- demo CGI program which just prints its environment
##
print "Content-type: text/html\n\n";
print "<html><head></head><body><pre>\n";
foreach $var (sort(keys(%ENV))) {
$val = $ENV{$var};
$val =~ s|\n|\\n|g;
$val =~ s|"|\\"|g;
print "${var}=\"${val}\"\n";
}
if ($ENV{"REQUEST_METHOD"} eq "POST") {
use CGI;
my $cgi = new CGI;
my %param_list = $cgi->Vars;
print "\nPost-Parameters:\n";
for (sort keys %param_list) {
print "$_=$param_list{$_}\n";
}
}
print "</pre></body></html>\n";
|
2. Configuration problem
The example shows an entry that does not work:
require sspi-user EMEA\group_name
If I use a group name, I have to use the entry
require sspi-group EMEA\group_name
Using more than 1 group I was unable to authenticate against the 2nd, 3rd and other following groups.
Due to the code the
should be written as
Both versions seem to work. |
|
| Back to top |
|
wm003
Joined: 24 Mar 2006
Posts: 88
|
| Posted: Wed 15 Jan '14 11:35 Post subject: |
|
|
| Does this work with Kerberos(authtype negotiate) aswell? (the old 2.2 sspi does) |
|
| Back to top |
|
philipT
Joined: 09 Apr 2014
Posts: 1
Location: UK, North Yorkshire
|
| Posted: Thu 10 Apr '14 10:22 Post subject: |
|
|
I have recently installed the mod_auth_ntlm module and have been using it but users are reporting a problem which is characterised by a POST of content length zero.
Looking on the web I have come across a post at
http://nosq.com/2008/fixing-mod_auth_sspi-and-ie-losing-post-data
which seems to detail the same problem describing it as "IE ... want(ing) to re-authenticate"
The code changes that have been suggested have do not appear in you own module.
Are you aware of this issue and would incorporation of this code be appropriate?
Following the reading of the article I have set NTLMPerRequestAuth to "on" which seems to resolve the problem. I'm afraid I am struggling to understand both the problem and the solution. |
|
| Back to top |
|
neongrau
Joined: 24 Apr 2013
Posts: 8
|
| Posted: Fri 20 Jun '14 14:19 Post subject: |
|
|
| philipT wrote: | | Following the reading of the article I have set NTLMPerRequestAuth to "on" which seems to resolve the problem. I'm afraid I am struggling to understand both the problem and the solution. |
I remember having the same problem a few years back.
While other browsers had no such issue the only solution was to globally enable NTLMPerRequestAuth sadly this gave a performance hit as each and every request was essentially tripled (intial request -> denied for auth, new auth request, handshake and final answer).
I later circumvented this by declaring only a specific location in the apache config for NTLM auth.
Any other part of the site would run without to minimize the overhead. The Back-End then handles authorization via session and only redirects the client to the NTLM auth when no proper user was present in the (server-side) session data. |
|
| Back to top |
|
neongrau
Joined: 24 Apr 2013
Posts: 8
|
| Posted: Fri 20 Jun '14 14:29 Post subject: |
|
|
FYI: In case someone still using the old Apache 2.2 SSPI Module and now having issues with Firefox 30+
They disabled NTLM-v1 in Firefox 30+.
To re-enable you have to manually change "network.negotiate-auth.allow-insecure-ntlm-v1" to "true" in "about:config" in Firefox.
The mod_authn_ntlm for Apache 2.4 does not use the old v1 protocol and will work with Firefox 30+. So now is a good time to switch  |
|
| Back to top |
|
dimagsv
Joined: 13 Aug 2014
Posts: 1
Location: Belarus, Minsk
|
|
| Back to top |
|
