tqsoft-gmbh / mod_authn_ntlm Goto Github PK

View Code? Open in Web Editor NEW

83.0 83.0 26.0 1.05 MB

Apache 2.4 SSPI NTLM based authentication module for windows

License: Other

C 86.42% PHP 2.43% CMake 2.51% PowerShell 3.37% Batchfile 5.27%

mod_authn_ntlm's People

Contributors

Stargazers

Watchers

mod_authn_ntlm's Issues

Could you please tag releases

I wish you would tag releases after fixing bugs or whatever. I have a nice little gizmo that monitors releases, not single commits after 10 months. At which point come 4 months later I get a user coming to me asking for a new release of the module. I'd have known back in 01/2017 if you had made a release and I had not had to wait till one of my users asked.

I do not use this module myself but it would surely help me out (Apache Haus).
Call what's here now 1.0.8 (since 1.0.7 was back in march 2016 and I released it as such), update the .rc and tag.

Thanks in advance.

documentation issues

please add notice to https://support.microsoft.com/en-us/kb/896861 for local ntlm authentication
replace REMOTE_USER rewrites (conf/httpd.conf, INSTALL.txt) and instead use the following to prevent trouble with apache phases. will make trouble e.g. on local ntlm
RequestHeader set X-Remote-User expr=%{REMOTE_USER}

LDAPS ?

I've noticed recently that authenticating can take a super-long time. It's pretty bad right now.

We believe our IT department has changed something; specifically, we may be required to use LDAPS moving forward. Can this module support LDAPS?

Is there a way to point to a specific domain controller if needed?

Is there a way to troubleshoot why this module is "acting slowly"?

I don't expect an answer, but if you can point me in a direction, I can continue researching.

Thank you.

Works but only with IP address

Good morning

Works in my apache under windows. But only with ip directions. With domain directions shows only the user connected to
the server.

Thanks in advance

Best regards

Readme file typos

In the read me there is

LoadModule ldap_module modules/mod_ldap.s
LoadModule rewrite_module modules/mod_rewrite.s

each time the file extension is ,so not only ,s

Exclude subfolder auth

Hello,
I need disable auth to subfolder (an external application writes to the folder via a post request) A try this, but return 401. Can I help me? Thank you

RequestHeader unset X_ISRW_PROXY_AUTH_USER
<Location /app >
    #AllowOverride None
    AuthName "Private location"
    AuthType SSPI
    NTLMAuth On
	NTLMUsernameCase lower
	NTLMOmitDomain On
    NTLMAuthoritative Off
    <RequireAll>
        <RequireAny>
            Require valid-user
            #require sspi-user EMEA\group_name
        </RequireAny>
        <RequireNone>
            Require user "ANONYMOUS LOGON"
            Require user "NT-AUTORIT\ANONYMOUS-ANMELDUNG"
        </RequireNone>
    </RequireAll>
    # use this to add the authenticated username to you header
    # so any backend system can fetch the current user
    # rewrite_module needs to be loaded then
    # while X_ISRW_PROXY_AUTH_USER is your header name
    RequestHeader set X_ISRW_PROXY_AUTH_USER expr=%{REMOTE_USER}
</Location>

<Location /app/withouth_auth >
Require all granted
Satisfy any
Allow from All
</Location>

Cannot start the server after loading the ntlm module

I am using Apache VC 15 2.4. As soon as I load module the Apache server cannot restart at all.

Can I ask for a build for VC14?

POST redirections not authenticated or not accomplish requirements

I have a problem when using Drupal with mod_authn_ntlm. There are some request that cannot be accomplished properly. So when loading a webpage almost all the requested are served (they are served with GET method) but there are a few POST request and they fail. The apache log says the user does not meet requirements. However all the other requests were granted.

As user I receive the following errors in Apache:
[Tue Apr 07 10:08:37.229231 2020] [authz_user:debug] [pid 18540:tid 1644] mod_authz_user.c(77): [client ::1:49909] AH01663: access to /intraceh/index.php/es/history/36/read failed, reason: user 'CEDEXINT\rhsantos' does not meet 'require'ments for user to be allowed access, referer: http://localhost:9090/intraceh/index.php/es/FlujoContratoMenor

Debugging with Google Chrome it says it is a POST request. When I launch the same request directly throug Chrome it is a GET request and it is properly shown (just a number). Here it is the object that fails to download:
Request URL: http://ceh-pxi-05.interno.cedex.es:9090/intraceh/es/history/36/read
Request Method: POST
Status Code: 401 Unauthorized
Remote Address: XXX.xxx.XXX.xxx:9090
Referrer Policy: no-referrer-when-downgrade

Thanks for the help!
Regards, Ricardo

na

Authentication will fail open the page on the server itself with different url

@community: I did not figure out what is wrong, so maybe someone knows why and can help.

Example:

Server has name "Webserver"
httpd.conf contains server name "Webserver"
the virtual host entry has a different url => e.g. mysite.mydomain.com
the module is used to authenticate the page

If you call the page with mysite.mydomain.com from a client all is fine. IE / Chrome uses SSO and other machines like on MAC OS a user credentials window popup and after it accept correct credentials and log on.

Now the issue:

If you open a browser on the server where Apache is running and call the URL mysite.mydomain.com the authentication fails.

Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

If you open a browser on the server and use the server name like http://webserver/ the authentication works.

This is frustrating when you log on the server as Administrator and try to open the page itself.

Sample Config Error

the commented out group line in the sample config shows

#require sspi-user EMEA\group_name

but it should be

#require sspi-group EMEA\group_name

Nothing major, just caught me out , maybe have two lines for both sspi-group an sspi-user

How to have 2 types of authentication?

How can I configure NTLM + BASIC or NTLM + LDAP for the same location?

AppVeyor automatic build

Hi, I have worked to create the AppVeyor automatic build script.

For the moment I have learned how to handle CMake to create the different versions and I have managed to compile a Release correctly.

The idea is that the script construates the x86 / x64 versions in both Debug and Release mode.

Regards

Linux

Can this be compiled on Ubuntu?

No access to $_SERVER['REMOTE_USER']

I am using the Laragon WAMP server from https://laragon.org/ which uses Apache/2.4.27 (Win64).

Firstly, downloading the zip from the github repo here (both branches i.e. master and stable-1.0-32/64bit and the tagged version v1.0) caused the following error when running Apache:

Please note that I followed the instructions in the readme for each case and it resulted in the same error message.

So I ended up downloading the software from here: https://www.apachehaus.com/cgi-bin/download.plx and no longer experienced the error when running Apache.

Secondly, after getting the module to run successfully I can now see it displayed on a page displaying php_info(), however, I have no access to $_SERVER['REMOTE_USER'].

I am using the following configuration in my virtual host:

<VirtualHost *:8000> 
  DocumentRoot "E:/laragon/www/authtest/"
  ServerName authtest.dev
  ServerAlias *.authtest.dev

  <Location /authenticate >
    #AllowOverride None
    AuthName "Private location"
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
    <RequireAll>
      <RequireAny>
        Require valid-user
        #require sspi-user EMEA\group_name
      </RequireAny>
      <RequireNone>
        Require user "ANONYMOUS LOGON"
        Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"
      </RequireNone>
    </RequireAll>
    # use this to add the authenticated username to you header
    # so any backend system can fetch the current user
    # rewrite_module needs to be loaded then
    # while X_ISRW_PROXY_AUTH_USER is your header name
    RequestHeader set X_ISRW_PROXY_AUTH_USER expr=%{REMOTE_USER}
  </Location>
</VirtualHost>

Can anyone advise what I should be doing differently to get access to $_SERVER['REMOTE_USER'] from PHP.

Thank you and a huge thanks for maintaining this software!

Cannot authenticate with PUT

Hello Yves,

GET works fine. The NTLM handshake completes on the same socket connection.

With PUT, however, the socket is closed with each challenge (Connection: close response header is sent).

On Apache, KeepAlive is not specified (default is on) and KeepAliveTimeout is set to 60 seconds (for debugging purposes).

Is this a known issue? Is it possible to get this to work?

Thanks,
Charlie

New feature request => sspi-group AND sspi-user

Hi!

First let me thank you for your work! the module is working fine and has helped me setup SSO.

I'm using the following setting:
require sspi-group DOMAIN\usergroup1 DOMAIN\usergroup2 DOMAIN\user1

Since some user are not yet in a group, I have to add them manually.
I tried to use the below settings (which makes more sense):
require sspi-user DOMAIN\user1
require sspi-group DOMAIN\usergroup1 DOMAIN\usergroup2

I get a "inconsistent SSPI record" error.

Would it be possible to update mod_ntlm_authorization.c so it can process successfully below settings:
require sspi-user DOMAIN\user1 DOMAIN\user2
require sspi-group DOMAIN\usergroup1
require sspi-group DOMAIN\usergroup2

Thanks !

Do I need to configure the DC address?

I used a module called mod_ntlm on apache serveral years ago. This module allows domain users to avoid entering the username and password, but it needs to configure the address of the DC(Domain controller). Does this project need to configure the address of the DC?

Timeout configuration

Hello,

is it possible to configure a timeout? Just had the case that a NTLM service was hanging "forever".

Version in source vs release number

In the source code there is

#define MOD_NTLM_VERSION_MAJOR 1
#define MOD_NTLM_VERSION_MID 0
#define MOD_NTLM_VERSION_MINOR 7

while the last release on github is 1.0.2

What is the correct number?

mod_authn_ntlm.so ECF Header invalid

I have my config make with a dockerfile and I copy the file so to folder module and when I generate my container, my config with the LoadModule doesn't work.
In the logs and on the server I find my file modules/mod_authn_ntlm.so but I have this message error "modules/mod_authn_ntlm.so ECF Header invalid"

I have apache 2.4, Debian.
Do you have any ideas ?

Misleading HTTP-Behaviour: 401 instead of 403

Hello Guys!

I want to use your NTLM module to authorize users which are part of a certain group to access several resources. To accomplish that, somewhere in the Apache configuration I wrote a line which looks something like that:

require sspi-group "myDomain\myGroup"

That setting works pretty well if I am part of myGroup. However, if I am not in that group, the browser (FF 78) asks for my login credentials. If I provide them correctly, the browser keeps asking for 2 or 3 times. That is weird because I expected a 403 Forbidden page like MDN says instead of another 401. Additionally, I think the server should only send a WWW-Authenticate header in case of a failed authentication but not in case of a missing authorization.

I tried to figure out myself what causes that problem. In your source code I found a function called common_deny_actions, which is called in every authorization handler (e.g. sspi_group_check_authorization). At its end, it calls note_sspi_auth_failure. In my opinion, that is a mistake, because note_sspi_auth_failure seems to initiate another authorization flow which means it will send another 401 instead of 403.

Unfortunately I am neither an Apache nor a HTTP expert, so I am not sure about all that stuff. To me, that behaviour seems to break the HTTP specification and will confuse users, because they cannot recognize if they provided wrong login credentials or if they are not allowed to access a specific resource. If you agree with my opinion, I would appreciate if you could fix that.

Thanks!

Inconsistent SSPI record with several sspi-groups

I have this config, and try to authenticate a user that is member or GROUP2

  <Location / >
    #Order allow,deny
    #Allow from all
    AllowOverride None
    AuthName "Private location"
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
    <RequireAny>
        require sspi-group "DOMAIN\GROUP1"
        require sspi-group "DOMAIN\GROUP2"
    </RequireAny>
  </Location>

This fails with inconsistent SSPI record

[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP1": denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authentication.c(535): SSPI00001: Entering authenticate_sspi_user()
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP1": denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authentication.c(535): SSPI00001: Entering authenticate_sspi_user()
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP1": denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authentication.c(535): SSPI00001: Entering authenticate_sspi_user()
[auth_ntlm:debug] mod_ntlm_authentication.c(653): SSPI00009: Authenticated user: DOMAIN\\USER
[auth_ntlm:error] SSPI00003: access to / failed, reason: user 'DOMAIN\\USER' does not meet 'require'ments for user to be allowed access
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP1": denied
[auth_ntlm:debug] mod_ntlm_authorization.c(124): SSPI00006: Access to / failed, reason: inconsistent SSPI record
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": denied
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: denied
[authz_core:error] AH01631: user DOMAIN\\USER: authorization failure for "/":

If i reverse the groups, it works.

    <RequireAny>
        require sspi-group "DOMAIN\GROUP2"
        require sspi-group "DOMAIN\GROUP1"
    </RequireAny>

[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP1": denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authentication.c(535): SSPI00001: Entering authenticate_sspi_user()
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP1": denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authentication.c(535): SSPI00001: Entering authenticate_sspi_user()
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP1": denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authentication.c(535): SSPI00001: Entering authenticate_sspi_user()
[auth_ntlm:debug] mod_ntlm_authentication.c(653): SSPI00009: Authenticated user: DOMAIN\\USER
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": granted
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: granted
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to /index.html failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to /index.html failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP1": denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authentication.c(535): SSPI00001: Entering authenticate_sspi_user()
[auth_ntlm:debug] mod_ntlm_authentication.c(653): SSPI00009: Authenticated user: DOMAIN\\USER
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": granted
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: granted

I have figured out that removing cleanup_sspi_connection in common_deny_actions makes things work. But I am not sure if this is the correct approach.

diff --git a/src/mod_ntlm_authorization.c b/src/mod_ntlm_authorization.c
index 66c5ec7..d8c3a3f 100644
--- a/src/mod_ntlm_authorization.c
+++ b/src/mod_ntlm_authorization.c
@@ -142,7 +142,10 @@ static void common_deny_actions (request_rec *r,
       it doesnot make sense to continue with the connection. This could mean
        that the current request is the main request itself   */
     if (r->main == NULL) {
-        cleanup_sspi_connection(scr);
+        //cleanup_sspi_connection(scr);
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, SSPILOGNO(00010) "r->main is null");
+    } else {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, SSPILOGNO(00011) "r->main is not null");
     }

    /* error logs */

[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP1": denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authentication.c(535): SSPI00001: Entering authenticate_sspi_user()
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP1": denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authentication.c(535): SSPI00001: Entering authenticate_sspi_user()
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP1": denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to / failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authentication.c(535): SSPI00001: Entering authenticate_sspi_user()
[auth_ntlm:debug] mod_ntlm_authentication.c(653): SSPI00009: Authenticated user: DOMAIN\\USER
[auth_ntlm:error] SSPI01003: r->main is null
[auth_ntlm:error] SSPI00003: access to / failed, reason: user 'DOMAIN\\USER' does not meet 'require'ments for user to be allowed access
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP1": denied
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": granted
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: granted
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to /index.html failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP1": denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authorization.c(107): SSPI00005: Access to /index.html failed, reason: No user authenticated
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_ntlm:debug] mod_ntlm_authentication.c(535): SSPI00001: Entering authenticate_sspi_user()
[auth_ntlm:debug] mod_ntlm_authentication.c(653): SSPI00009: Authenticated user: DOMAIN\\USER
[auth_ntlm:error] SSPI01003: r->main is not null
[auth_ntlm:error] SSPI00003: access to /index.html failed, reason: user 'DOMAIN\\USER' does not meet 'require'ments for user to be allowed access
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP1": denied
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of Require sspi-group "DOMAIN\\GROUP2": granted
[authz_core:debug] mod_authz_core.c(806): AH01626: authorization result of <RequireAny>: granted

Is mod_ldap really needed?

The README.md states:

You need to activate the following module (ldap_module) as well. Normally it is in your server config file, so just uncomment it:
LoadModule ldap_module modules/mod_ldap.so

I am wondering, whether this is true and if so why. I did not find any reference to LDAP in the source code or example config, that would explain, why mod_authn_ntlm needs mod_ldap.

Could you please double check and remove those lines from README.md if not needed.
Thanks a lot!
Rainer

Makefile errors

running make generates a number of errors like

Makefile:45: *** missing separator. Stop.

Request is not forwarded on first attempt in Chrome and Firefox

I am facing an issue when using mod_authn_ntlm. It is working fine on edge and IE but when I try this on chrome and firefox it doesn't work as expected. Let me explain the issue.

we have an application which is running on https and we have enabled NTLM authentication. By providing all the settings as mentioned in the documentation we are able to access our application within the domain flawlessly. however when we try to access the application outside of the domain and providing valid credentials on chrome and firefox the first request is sent and popup is prompted for username and password to get logged in when provided the request which is in pending state fails and our application's normal login page is visible if we refresh the page or close the login button a new Login request is made and without providing any username or password it is successful.

I want to know which thing is causing the issue. Below are the settings that I made

<Location ~ "/auth/(login|logoutall)" >
	#AllowOverride None
	AuthName "Private location"
	AuthType SSPI
	NTLMAuth On
	NTLMAuthoritative On
	<RequireAll>
		<RequireAny>
			Require valid-user
			#require sspi-user EMEA\group_name
		</RequireAny>
		<RequireNone>
			Require user "ANONYMOUS LOGON"
			Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"
		</RequireNone>
	</RequireAll>
	# use this to add the authenticated username to your header
	# so any backend system can fetch the current user
	# rewrite_module needs to be loaded then
	RewriteEngine On
	RewriteCond %{LA-U:REMOTE_USER} (.+)
	RewriteRule . - [E=RU:%1]
	RequestHeader set DOMAIN_USER %{RU}e
</Location>

stuck with this. hoping to see the response at earliest

user unknown, reason: cannot generate context

Hi,

Sometimes the NTLM Authentication stop working (Login/Password prompt to the user) and theses errors appears in apache error.log :

Mon Dec 07 10:19:52.149006 2015] [auth_ntlm:error] [pid 1492:tid 796] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52659] authentication failure for "/accueil/styles/bootstrap.min.css": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:52.149006 2015] [auth_ntlm:error] [pid 1492:tid 560] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52658] authentication failure for "/accueil/styles/todc-bootstrap.min.css": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:52.149006 2015] [auth_ntlm:error] [pid 1492:tid 684] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52634] authentication failure for "/accueil/img/prepand.png": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:52.149006 2015] [auth_ntlm:error] [pid 1492:tid 556] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52633] authentication failure for "/accueil/styles/style_header.css": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:52.149006 2015] [auth_ntlm:error] [pid 1492:tid 784] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52630] authentication failure for "/accueil/img/chet_bg.png": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:52.164606 2015] [auth_ntlm:error] [pid 1492:tid 740] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52628] authentication failure for "/accueil/img/logo_postes.png": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:52.180206 2015] [auth_ntlm:error] [pid 1492:tid 568] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52646] authentication failure for "/accueil/img/logo_cariatides.png": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:54.722990 2015] [auth_ntlm:error] [pid 1492:tid 584] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52663] authentication failure for "/accueil/img/logo_pps.png": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:54.722990 2015] [auth_ntlm:error] [pid 1492:tid 844] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52664] authentication failure for "/accueil/img/logo_cognos.jpg": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:54.738590 2015] [auth_ntlm:error] [pid 1492:tid 760] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52661] authentication failure for "/accueil/img/logo_piwik.png": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:21:18.213655 2015] [auth_ntlm:error] [pid 1492:tid 576] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52725] authentication failure for "/accueil/styles/todc-bootstrap.min.css": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:21:18.213655 2015] [auth_ntlm:error] [pid 1492:tid 820] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52716] authentication failure for "/accueil/styles/bootstrap.min.css": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:21:18.229255 2015] [auth_ntlm:error] [pid 1492:tid 744] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52724] authentication failure for "/accueil/img/logo_webcitrix.jpg": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:21:18.229255 2015] [auth_ntlm:error] [pid 1492:tid 760] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52719] authentication failure for "/accueil/img/logo_office.png": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:22:27.711209 2015] [fcgid:warn] [pid 1492:tid 760] (OS 10054)Une connexion existante a dû être fermée par l’hôte distant.  : [client 10.0.55.5:4087] mod_fcgid: ap_pass_brigade failed in handle_request_ipc function, referer: http://*****.com/accueil/
[Mon Dec 07 10:25:56.157073 2015] [fcgid:warn] [pid 1492:tid 712] (OS 10054)Une connexion existante a dû être fermée par l’hôte distant.  : [client 10.0.32.52:62076] mod_fcgid: ap_pass_brigade failed in handle_request_ipc function, referer: http://*****.com/glpi/front/tracking.injector.php
[Mon Dec 07 10:26:05.719812 2015] [fcgid:warn] [pid 1492:tid 576] (OS 10054)Une connexion existante a dû être fermée par l’hôte distant.  : [client 10.0.55.5:4106] mod_fcgid: ap_pass_brigade failed in handle_request_ipc function, referer: http://*****.com/annuaire/index.php?pages=blanches&keywords=flipo
[Mon Dec 07 10:26:17.170138 2015] [auth_ntlm:error] [pid 1492:tid 652] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52938] authentication failure for "/annuaire/styles/style_evements.css": user unknown, reason: cannot generate context, referer: http://*****.com/annuaire/index.php?pages=evt
[Mon Dec 07 10:26:17.185738 2015] [auth_ntlm:error] [pid 1492:tid 784] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52932] authentication failure for "/annuaire/img/logo_mini.png": user unknown, reason: cannot generate context, referer: http://*****.com/annuaire/index.php?pages=evt
[Mon Dec 07 10:26:17.185738 2015] [auth_ntlm:error] [pid 1492:tid 660] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52937] authentication failure for "/annuaire/img/chet_bg.png": user unknown, reason: cannot generate context, referer: http://*****.com/annuaire/index.php?pages=evt

(I hide willingly the domain name)

When i stop and start the apache service the NTLM Authentication working again :S (without errors in error.log in same website pages)

Have you an idea for solve my problem ?

Thanks

Cannot offer both basic and ntlm

When setting NTLMOfferBasic On and run curl -k --basic -u user:pswd https://mysite. I got 401 unauthorized error. Error on server is [Thu Feb 21 09:35:43.432826 2019] [auth_ntlm:error] [pid 9748:tid 940] [client xxx.xxx.xxx.xxx:57889] client used wrong authentication scheme: (null) for /<path>/ (needed NTLM).
If switching curl option from --basic to --ntlm, it works.
By contrast mod_auth_sspi handles both ntlm and basic correctly.

please provide 32&64 bit version

Hey,

after the last pull request, the created so file is only 64 bit. Could you please provide a 32 and a 64 version, since apache is complaining about the .so file

httpd.exe: Syntax error on line 116 of C:/Apache24/conf/httpd.conf: Cannot load modules/mod_authn_ntlm.so into server: %1 ist keine zul\xe4ssige Win32-Anwendung.

@YvesR @lwahonen

thanks!

Apache Login Prompt

How can I disable Apache Login Prompt for non-authenticated users?

authentication with virtualhost doesn't work

I found that authentication with virtualhost name different than regular hostname doesn't work.

Example:
hostname: digit1.ggg.com
username given: ggg\mark
password correct and it works

but when we define virtualhost like virtu1.ggg.com and setup this same authentication rules it won't work.

log says:

[Fri Jul 17 14:24:27.493294 2020] [auth_ntlm:debug] [pid 33688:tid 2120] mod_ntlm_authentication.c(632): [client 192.168.84.48:56538] SSPI00001: Entering authenticate_sspi_user()
[Fri Jul 17 14:24:27.493294 2020] [auth_ntlm:error] [pid 33688:tid 2120] (OS 1326)Nazwa użytkownika lub hasło sš niepoprawne.  : [client 192.168.84.48:56538] authentication failure for "/": user unknown
[Fri Jul 17 14:24:27.493294 2020] [auth_ntlm:debug] [pid 33688:tid 2120] mod_ntlm_authentication.c(535): SSPI: Testing for IE bug, request GET (null)
[Fri Jul 17 14:24:27.493294 2020] [core:trace3] [pid 33688:tid 2120] request.c(117): [client 192.168.84.48:56538] auth phase 'check user' gave status 401: /

Is it possible to make this work?

2 questions - unstable transparency

Hi.
The task - if a user logs on to a computer under a domain account, then he can log in to our web-application in browsers “transparently” - without an additional request for a name and password.

1. Apache 2.4 is installed on 64-bit Windows Server 2016.
I downloaded and installed the module from here https://www.apachehaus.com/cgi-bin/download.plx
Download Name: Mod Auth NTLM for Apache 2.4.x x64
Download Description: SSPI NTLM based authentication module for Apache
Download Filename: mod_authn_ntml-1.0-2.4.x-x64-vc15.zip
There is also V14, as I understand it, they are not functionally different.
Is this the latest version of your module,from among those immediately ready for use?

2. We tried to log in under different users and under different browsers (IE 11, Chrome and Firefox). Sometimes the user transparently logs into the application (without the authorization window appearing) and the domain username appears in the X_ISRW_PROXY_AUTH_USER variable.
But more often than not, a nasty login window appears ine different browsers, although the user has already entered the domain in Windows. Changing the string
Require valid-user
to
Require valid-sspi-user
does not greatly improve the situation.
How to fix it?
Here is how I did based on your sample configuration:

RequestHeader unset X_ISRW_PROXY_AUTH_USER
    <Location /ords >
        AuthName "Private location"
        AuthType SSPI
        NTLMAuth On
        NTLMAuthoritative On
        <RequireAll>
            <RequireAny>
               Require valid-user                 
            </RequireAny>
            <RequireNone>
                Require user "ANONYMOUS LOGON"
                Require user "NT AUTHORITY\ANONYMOUS LOGON"
            </RequireNone>            
        </RequireAll>
        RequestHeader set X_ISRW_PROXY_AUTH_USER expr=%{REMOTE_USER}
    </Location>

support for single sign-on with subversion?

Hi!

I tried to setup mod_auth_ntlm and subversion-1.9.0 with apache-2.4.16 to support single sign-on for subversion, but didn't succeed (more details are discussed here: https://www.apachehaus.com/forum/index.php?topic=1299.0).

The question I wanted to ask here is whether such a configuration (mod_auth_ntlm + subversion) is supposed to work, or if there are any known limitations and/or incompatibilities. I assumed it had at least been considered since SVNPathAuthz is explicitly mentioned as an example in the documentation of the NTLMChainAuth option.

Can you please clarify or (even better :-) give a configuration hint?

Thanks & kind regards,
Markus

NTLMDefaultDomain - Not Working

Testing this from an iPad, this does not work. I have to enter the username as domain\username, even with NTLMDomain "domain" configured.

The failure is producing this in the log:

[Tue Jul 19 11:58:40.327870 2016] [auth_ntlm:error] [pid 15304:tid 1228](OS 1326)The user name or password is incorrect. : [client 192.168.1.7:61797] authentication failure for "/": user unknown

From the code, that means that neither hdr->User or hdr->Domain are set. Why would hdr->User not be set?

error when trying to start apache

Hello,

I have an error when I start apache 2.4
invalid ELF header

problematic www-Authenticate list if NTLMBasicPreferred is set

if both options, NTLMOfferBasic and NTLMBasicPreferred is set, the www-Authenticate list contains two different Basic entries
WWW-Authenticate: Basic realm="My Realm"
WWW-Authenticate: Basic
This setting seems to be handled gracefully by Firefox, but the Apache serf library will choke on that and crash due to a null pointer access as it expects a "realm=" string in the second authenticate entry.

I would expect the list to be like:
WWW-Authenticate: Basic realm="My Realm"
WWW-Authenticate: NTLM
which is generated by the old mod_auth_sspi module.

This behavior seems to be generated in mod_ntlm_authentication.c by
if (ctx.crec->sspi_offerbasic && ctx.crec->sspi_basicpreferred) ctx.crec->sspi_packages = "Basic"; (Line 700 in version 1.01)

If this instruction is removed, the expected list will be generated.

List of available config parameters?

I apologize up for using an Issue to ask this question, but I cannot find an exhaustive list of parameters for this module anywhere. I pariticularly want to know about NTLMDefaultDomain and how that works.

not a valid Win32 application

I apologize if this is a dumb question -- I used the .so that was in the repo, and I'm getting this error on a Server 2016 box while trying to add SSPI authentication to a CollabNet Subversion installation:

The Apache service named  reported the following error:
>>> httpd.exe: Syntax error on line 10 of C:/csvn/data/conf/httpd.conf: Cannot load lib/modules/mod_authn_ntlm.so into server: The Apache service named is not a valid Win32 application.

Do I need to rebuild the .so?

Thanks,
Glenn

Auth for non-ad users

Hi folks,

Can I configure this authentication so that non-AD users login works into the service, for example, our GLPI support service?

Unauthorized

Hi,
i get the error

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
in httpd.conf

Alias /test "/var/www/html/test"

<Directory "/var/www/html/test">
    Authtype CAS
    require valid-user
    Options Indexes MultiViews
    AllowOverride all
    Order allow,deny
    Allow from all
</Directory>

thanks

what additional header information is available?

I was successfully able to get Apache to forward the REMOTE_USER to a reverse proxy on the same server. as mentioned in the instructions: RequestHeader set X_ISRW_PROXY_AUTH_USER expr=%{REMOTE_USER}

Apache :443 --> Express :5001 (same web server)

I can see several things in the Request Header, like x-forwarded-for, x-forwarded-server, and x_isrw_proxy_auth_user

Is there any additional information that I can forward about the user to the backend? For example, can I forward group membership information?

What other information about the user is available after authorization?

Are there any additional variables in addition to expr=%{REMOTE_USER}?

tqsoft-gmbh / mod_authn_ntlm Goto Github PK

mod_authn_ntlm's People

Contributors

Stargazers

Watchers

Forkers

mod_authn_ntlm's Issues

Example:

Now the issue:

Recommend Projects

Recommend Topics

Recommend Org