website stat

mod_ntlm2 on Apache 2.2.x

The development of the NTLM plugin (Microsoft's proprietary protocol for connecting with Active Directory and allow Single Sign On through IIS and Internet Explorer) for Apache has pretty much stalled since 2004. A few minor updates have been made by Michael Chai and although they seem to work fine with Apache 2.0.x (haven't tested though) the same cannot be said about Apache 2.2.x.

It took me a while to make it compile and I had to fix some problems with the code so it works with Apache 2.2 (namely, replacing some deprecated apr_pool_sub_make() calls by apr_pool_create_ex().

So, if you need to install mod_ntlm2 on Apache 2.2, here's the detailed guide.

First, start by downloading my patched version of the latest mod_ntlm2. I will not continue updating it so if one major update shows up this package might me outdated. For the time being it should work fine (mod_ntlm shows no signals of resurrection whatsoever).

Now depending on your Linux distribution the following may vary. apache2-prefork-dev and gcc-3.4 are the tools required for compiling it. In Debian/Ubuntu you can easily install them by

PLAIN TEXT
CODE:
  1. $ apt-get update
  2.  
  3. $ apt-get -y install apache2-prefork-dev gcc-3.4

Now, let's temporarily change the default compiler to gcc 3.4

PLAIN TEXT
CODE:
  1. $ ln -fs /usr/bin/gcc-3.4 /usr/bin/gcc

Now you should be apple to compile the module with

PLAIN TEXT
CODE:
  1. $ apxs2 -i -a -c mod_ntlm.c

Finally, run the following commands

PLAIN TEXT
CODE:
  1. $ sudo make clean
  2. $ sudo echo "LoadModule ntlm_module /usr/lib/apache2/modules/mod_ntlm.so"> /etc/apache2/mods-available/ntlm.load
  3. $ sudo a2enmod ntlm
  4. $ sudo mv /etc/apache2/httpd.conf /etc/apache2/httpd.conf.old
  5. $ sudo touch /etc/apache2/httpd.conf
  6. $ sudo /etc/init.d/apache2 force-reload
  7. $ sudo ln -fs /usr/bin/gcc-4.0 /usr/bin/gcc

It should be working now!


17 Responses to “mod_ntlm2 on Apache 2.2.x”

Feed for this Entry Trackback Address
  1. FoREE
    Published at May 18th, 2007 at 11:37 pm

    thanx for your modified script. you saved my day. :)

  2. bl4z4
    Published at July 17th, 2007 at 12:56 pm

    Thanks, good work.

  3. Lessan
    Published at July 18th, 2007 at 4:57 pm

    Wow, this is great! Thanks for the comprehensive instructions.

  4. svenso
    Published at February 11th, 2008 at 11:58 am

    great, worked on the first try

  5. Jonathan Tapicer
    Published at May 23rd, 2008 at 6:21 pm

    Important note: to make this module work on Apache 2.2 on a CentOS 5.1 we had to modify the default option of “KeepAlive Off” to “KeepAlive On” on httpd.conf, without it the authentication won’t work with no apparent reason (and no log on the error_log). On Ubuntu it is turned On by default.
    Great work, it’s the only module for Linux+Apache 2.2 that we could successfully implement.

  6. Ashwin
    Published at June 19th, 2008 at 8:06 pm

    This is great work! thanks!
    I am having some trouble to get it to work with IE7. The browser seems to try twice (I saw this using Wireshark) then it prompts for the username and password.
    It goes through fine after I enter.
    On firefox, it works correctly without prompting me for password.
    There is something amiss as IE7/firefox have no trouble to talk to the sharepoint server.
    Any thoughts?

    Thanks!

  7. John Fugazi
    Published at June 23rd, 2008 at 4:35 pm

    Thanks this worked great. I had one problem though. when i used this authentication, it was not putting the user info in the header. I used this for SSO on Plone. I resolved the problem and it works great.

    what i did was edit “mod_ntlm.c”. every instance in the file that had “r->proxyreq”, i replaced with “r->proxyreq && 0″.

    if this is ok with you, can you modify you code one more time for others can use.

  8. Philip
    Published at September 26th, 2008 at 3:39 pm

    Installed the module and it works great. I noticed on the logs that there are 2 401 401 for every request. We set the keepalive on but are a bit concerned about the traffic. Any thoughts as to why this is happening?

  9. mbo
    Published at January 21st, 2009 at 3:10 pm

    Nice
    thanks a lot

  10. Ayotunde Itayemi
    Published at February 20th, 2009 at 12:59 am

    Hi, I cant seem to get a clean compile on an x86-64 server. Lots of warnings about casting etc. I also seem to be getting lots of errors similar to those listed below. Any ideas? Also my Linux server name has domain name that’s different from my AD domain name. It seems this may also cause any issue. I have been trying to hack the code and hardcode an FQDN for my linux server that contains the same domainname as my AD name. Especially in function RFCNB_Session_Req
    Should I pad the name to 31xters or 32xters? Thanks.
    [Thu Feb 19 23:53:22 2009] [error] 1734 - SMB_Logon_Server: SMB_SessSetupAndX failed; errorclass = 1, Error Code = 5\n
    [Thu Feb 19 23:53:22 2009] [error] [client 172.16.101.35] 445850776 1734 /nagiosql3/ - NTLM/SMB user “(null)”: authentication failure for “/nagiosql3/”
    [Thu Feb 19 23:53:23 2009] [error] 1734 - SMB_Logon_Server: SMB_SessSetupAndX failed; errorclass = 1, Error Code = 5\n

  11. Cheeky Monkey
    Published at March 18th, 2009 at 3:49 pm

    Philip

    re:
    “Installed the module and it works great. I noticed on the logs that there are 2 401 401 for every request. We set the keepalive on but are a bit concerned about the traffic. Any thoughts as to why this is happening? ”

    I’m seeing the same behaviour, i.e. NTLM authetication is working fine for me (Apache 2.0.54 - using the Michael Chai NTLM build) but I’m seeing two http 401 responses for every http 200 response in my Apache access.log file

    Did you ever bottom out why this happens?

  12. Kris
    Published at April 20th, 2009 at 7:02 am

    2 x http 401 in the logs is normal. thats expected behaviour since apache will ask 2 times for your ntlm header before it receives everything it needs hence the 2 lots of 401 requests..

  13. Luis
    Published at April 22nd, 2009 at 8:42 pm

    Thanks! It worked fine! But when testing in Firefox or Safari, I’m getting a request for password for each file included in the included page, as images or css. Any help?

  14. Fred
    Published at May 23rd, 2009 at 10:20 pm

    Thanks, Mario, nltm was broken after a system upgrade from DapperDrake to Hardy… Worked fine - however, be careful with

    sudo ln -fs /usr/bin/gcc-4.0 /usr/bin/gcc

    it was 4.3 on my system…

  15. Fred
    Published at May 23rd, 2009 at 10:22 pm

    @Luis: (if you didn’t find yet)

    Configuration CAN be changed to enable automatic NTLM authentication — leaving out the login dialog. To set this, follow this guidance:

    Insert about:config in the browser’s address bar. The list of configuration parameters is displayed.

    Set corresponding configuration parameter(s) using the following instractions:

    For direct connection (proxy server is not set in the browser):

    Mozilla : under about:config, write “.mydomain.com” (WITH the 1st period) in network.automatic-ntlm-auth.trusted-uris, network.negotiate-auth.delegation-uris, network.negotiate-auth.trusted-uris.

    Note: It is not possible to use IP address as a value in this parameter!

  16. Phil
    Published at September 17th, 2009 at 10:02 am

    Hello
    i’m using the libapache2-authenntlm-perl 0.02. Is libApache2-mod-perl2 replace it? Is it necessary to uninstall it?

    Thanks

  17. Nisses
    Published at November 3rd, 2009 at 5:42 pm

    Has anybody managed to get this working on SuSE 10.2 ?

    I ask because I cannot seem to find the apache2-prefork-dev package for SuSE

Leave a Comment