I have a development environment that is fronted via an Apache server. This apache server requires SSL and Centrify-enabled NTLM authentication/authorization with the AD backend, using group access to view the webpages. There will be multiple projects using this environment, so I want to set up Virtual Hosting, which will allow each project to modify their own virtual host with any specific apache modules. The web files will live in /var/www/project1 ; /var/www/project2 ; etc..
I already have the DNS configured properly to point *.domain to the apache server, as well as a wildcard SSL certificate that had the altDNSName field set with *.domain.
The problem is the NTLM authentication piece:
If I point my browser to https://hostname.fqdn/project1/index.html, the NTLM authorization processes exactly as I want. I believe this runs off my default virtual host.
If I instead point my browser to https://project1.domain/index.html, the Apache error logs complain that "User failed NTLM authentication for /index.html. Error: Logon failure.
<VirtualHost ipaddress:443>
Servername "hostname.fqdn"
DocumentRoot "/var/www/"
SSLEngine on
SSLCertificateFile /path/to/cert.crt
SSLCertificateKeyFile /path/to/cert.key
</VirtualHost>
<VirtualHost ipaddress:443>
ServerName "project1.domain"
DocumentRoot "/var/www/project1"
SSLEngine on
SSLCertificateFile /path/to/cert.crt
SSLCertificateKeyFile /path/to/cert.key
</VirtualHost>
<Directory "/var/www">
Options Indexes FollowSymLinks
SSLRequireSSL
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/var/www/project1">
AuthType CENTRIFYDC
EnableBasicAuth false
EnableKerberosAuth false
EnableNtlmAuth true
Require group required_ad_group
</Directory>
I have attempted this with both IE and Firefox, making sure *.domain was in my Local Intranet zone for IE and that the network.automatic-ntlm-auth.trusted-uris and network.negotiate-auth.trusted-uris settings are properly set in Firefox.
I have narrowed it down to the NTLM problem, because if I remove the Centrify directives, the Name-Based Virtual Host works as I would expect. I have tried placing the Directory tag within each Virtual Host, I have also tried using a Location tag, but I have not been able to make any headway.
I would start by making 2 solidly separate VirtualHosts that work as expected, and then work back to a hybrid variety by step changes.
I suspect your 2 VirtualHosts resolve to something like this;
So I would test something like that, and then move them out of each other sub-directories, and see what directives are conflicting
After more investigation, it wasn't a problem with the Apache configuration. It seems as though the browser was passing NTLM and Apache was receiving it, but Centrify isn't properly validating it. Now I need to figure out where the breakdown is here, but that's another thread.