Authentication will fail open the page on the server itself with different url about mod_authn_ntlm HOT 11 CLOSED

Is the config the same as in the example? I did not have that kinda issue, but I run apache not on the AD server itself.

from mod_authn_ntlm.

Yes, the httpd.conf in the repository is like we use it in common.
On production servers we do not use the server name in any intranet / portal project, always set a FQDN. The moment we do this we prevent ourself to open the page on the server itself.

from mod_authn_ntlm.

BTW: Doesn't matter if you use AD or local server user accounts. Same issue.

from mod_authn_ntlm.

I will try that tomorrow.

from mod_authn_ntlm.

With this config https://gist.github.com/JBlond/9a6003cae60e73893ce3 I had no issues (without my last patch, I had no new binary at this time). http://localhost/auth/
Firefox I was able to login via prompt and IE was logged in SSO.

Win7 pro
Apache/2.4.10 (Win64) from ApacheHaus

Did you try a regular user or as the Domain Administrator? I used a normal AD user who is local administrator on the computer on which apache is running.

from mod_authn_ntlm.

I tried your config. Same thing. Still do not work.

I try to access a demo url https://thor.informer.de.
IE popup the credentials dialog, I can enter 3 times the correct data and still get:

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

Server ist part of a domain tqsoft.local (test domain).
My conf:

  # if windows/ntlm auth used
  <Location /ror_auth >
    #AllowOverride None
    AuthName "Informer"
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
    # domain need to be set to your domain
    # NTLMDefaultDomain domain.local
    #require valid-user
    <RequireAll>
        <RequireAny>
            Require valid-user
        </RequireAny>
        <RequireNone>
            Require user "ANONYMOUS LOGON"
            Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"
        </RequireNone>
    </RequireAll>
    # use this to add the authenticated username to you header
    # so any backend system can fetch the current user
    # rewrite_module needs to be loaded then
    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1]
    RequestHeader set X_ISRW_PROXY_AUTH_USER %{RU}e
  </Location>

from mod_authn_ntlm.

Add: Tried local user Administrator and Domain Administrator, same results.

from mod_authn_ntlm.

Try a normal user. Maybe it is an issue with Administrator. If I remember correctly I had that issue with the original SSPI module.

from mod_authn_ntlm.

Tried a normal domain and local user as well. Same result.
I seek the windows protocol security and found out:

• username local or domain called from external client => security protocol logs successful login
• username local or domain called on the server => security protocol has entries with wrong credentials

from mod_authn_ntlm.

Have you tried enabling LogLevel debug, and comparing the error.log output?

from mod_authn_ntlm.

Root cause of this is described in #17 .
Correct configuration will make open FQDN local on the server possible.

from mod_authn_ntlm.