I succesfully configured ntlm authentication. Unfortunately config allows semi basic authorization. For example when I'm using tortoise svn1.8.4(with serf access lib), chrome or IE web browsers, they authenticate NTLM succesfully without prompting anything. In log file I see authenticated users. Unfortunately when I'm using for example unconfigured FireFox or Maxthon, that browserws prompts me for credentials. I don't need this, because the same situation is when I'm trying access from out of domain computer.
I'm using windows server as domain controller, windows7/8 as system client, linux/debian as web server. I configured kerberos from linux do windows AD, winbind for local NTLM authentication and apache 2.2 series. For apache authentication glue I use mod_auth_ntlm_winbind.so apache2 module, and under directory/location config ntlm helper for communicate with winbind. This works properly, example for apache:
<Directory /var/www/>
#defaults for main www directory
Options Indexes FollowSymLinks MultiViews
AllowOverride None
#modified, prevent for any ip access, for future add authless access from specified hosts
Order deny,allow
deny from all
#allow from IP/mask
#settings for NTLM auth with winbind helper
AuthName "NTLM Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --domain=MY.WINDOWS.DOMAIN --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
#because ip is default deny
satisfy any
</Directory>
I hoped, maybe I can do some redirection using apache authtype variable, then I added to config above rewritting:
RewriteEngine on
RewriteRule ^ /cgi-bin/TestAuth.pl?DollarOne=1&AUTH_TYPE=%{AUTH_TYPE}&REMOTE_USER=%{REMOTE_USER}
And example script TestAuth.pl as cgi content:
#!/usr/bin/perl
use strict;
use warnings;
use Data::Dumper; #easy way for print system variables
print "Content-type:text/plain\r\n"; #respectint HTML protocol
print "\r\n";
print "Enviroment contains:\r\n";
print "x\r\n";
print Data::Dumper->Dump([\@ARGV,\%ENV],[qw(ARGV ENV)]); #prints all script arguments and process variables
Unfortunately in all cases, with windows based auth ntlm and prompted credential, I allways see AUTH_TYPE is allways NTLM. Then there is no way to recognize what browser does. In that situation I can access from clients out of domain.
I tryed wrap ntlm hepler by strace. Unfortunately I don't see anythink important in its dump with four way combining success/failed auth and access by IE non prompted ant FF prompted. I think the same situation occurs when ntlm helper authenticates to local samba server, but I never tested this.
Now I'm trying do some config with multiple auth type, Basic and NTLM. I try do Basic first and filter out this with allways fail and redirect it to info page. Unfortunately at now without success with NTLM mix :( NTLM is allways done first.
Then anybody have an idea how to prevent credentials prompting? How to revoke access from prompted clients? How to recognize credentials are from prompt or from windows client api?
Using NTLM authentication doesn't guarantee a credential-less login. If you have valid windows credentials that the server can recognize, you won't get a password prompt.
If the user doesn't have valid NTLM pass-through credentials, they will be prompted to provide them. It is no way reverting to 'basic' authentication.
Unfortunately, there is no way to tell if a user provided the credentials or if they were passed-through by the system.
Perhaps ask a new question outlining what you want your users to experience (ie different sites for internal and external users) and someone may be able to help in a different way.
At now I resolved this problem switching NTLM to Kerberos authentication. All prepared for winbind is working directly under kerberos, because I earlier configured kerberos for winbind with AD server communication. Because kerberos is open, developers predicted different subauthentication on user endpoint. Very helpfull is flag in apache2.2 kerberos module:
This cause what I want. Browser get krb frame with attribute "Don't popup user fo credentials", then client simply don't do this. But if yes (any incompatibility?), apache server module should detect this and should revoke authentication.
Using microsoft's NTLM this is impossible because protocol is spoiled. First NTLM frame after web return code 201 doesn't have possibility for adding attribute "don't prompt user for credentials". Then I can filter that frame after popup or OS session key sign. This cause browser allways display popup when OS session key is unavailable.
Eventually is another chance. User takes some time for writting credentials, or accept when credentials are stored in browser. I can count time between sending auth frame to browser, and frame incomming from client. When time is too long I can revoke. Unfortunately this may make false unauthentication on busy computers or networks.
I'll try both methods in the future :) It will be funny if all can be done under apache winbind auth module. Then all config can be encapsulated under apache, the same like for kerberos auth.
Thank you all for interesting, investigations and help :)