NTLM is a proprietary (and not so good) protocol for deploying Single Sign On in predominantly Windows oriented networks (our company network also). NTLM sits on top of HTTP, so users who are logged on to the Windows Active Directory network can transparently log-on to web services using their Microsoft Windows credentials (and thereby having Single Sign On). Getting IIS servers working with NTLM is easy (it should be), but traditionaly Apache servers have had problems in doing this.
The NTLM protocol performs a challenge/response to exchange a random number
(nonce) and get back a md4 hash, which is built form the users password
and the nonce. This makes sure that no password goes over the wire in plain text,
so it’s more secure than basic authentication, which doesn’t mean it’s
a real secure authentication scheme. 😉
Some information about NTLM can be found at:
This short article will show how to get Apache to authenticate to Activer Directory server using NTLM v1 protocol in Linux boxes.
There exist various Apache modules to achieve this task, however the fastest and simplest way is we’ll an excellent perl module that provides good support for NTLM authentication (
Follow the steps given below for getting NTLM authentication working (this assumes you have mod_perl compiled and working on your Apache setup):
1. Download an compile Apache:AuthenNTLM from the location given above.
tar xvfz Apache*AuthenNTLM*.tgz cd Apache*AuthenNTLM* perl Makefile.PL make make test make install
2. Edit the Apache configuration and enable KeepAlive
3. Include the following configuration to either httpd.conf or your VirtualHost config file:
# Enable the Authentication module PerlAuthenHandler Apache2::AuthenNTLM # Do NTLM and basic authentication AuthType ntlm,basic # The name that should be displayed in the Auth box, if NTLM fails AuthName COMPANY_NAME # Ask for a valid user. require valid-user #domain pdc bdc # Domain : Your windows domain # pdc : Primary Domain Controller # bdc : Backup Domain controller. # # Note : Multiple domains can be specified. # replace here DOMAIN, PDC_NAME and BDC_NAME for your current setup PerlAddVar ntdomain "DOMAIN PDC_NAME BDC_NAME" # What should be the default domain PerlSetVar defaultdomain DOMAIN # The user names are in the form "OURDOMAIN\user_name". Let us split it. PerlSetVar splitdomainprefix 1 # Set the debug variables PerlSetVar ntlmdebug 0 PerlSetVar ntlmauthoritative off PerlSetVar ntlmsemkey 0 # This fixed a hang up issue after a long time of inactivity PerlSetVar ntlmsemtimeout 1
What this Perl Module modules does is “just” to authenticate the Windows user against the AD server and populate the REMOTE_USER variable which will be passed to the application layer including the authenticated user name.
4. Finally we will use the Webserver_Auth Drupal module to read the REMOTE_USER php variable and automatically log the user on. This module can be also used to automatically creates a Drupal user when a new AD user authenticates. Please read the module documentation for all the available options.
IMPORTANT: Apache:AuthenNTLM is no longer actively maintained and it only works for NTLMv1. This means that clients using Windows Vista/7 won’t work as they use by default NTLM version 2.
If we wanted to enable Windows 7 to use NTLMv1 and therefore being able to authenticate against our Apache server using Apache:AuthenNTLM there is one Local directive that should be changed:
- Open Control Panel.
- Choose Administrative Tools.
- Click Local Security Policy.
- Under Local Policies and Security Options:
- Change Network security: LAN Manager Authentication Level to “Send LM & NTLM responses”
Having done that, we will be able to use Internet Explorer to use NTLMv1. However Firefox won’t work yet. In order to get Firefox working we’ll have to add our application URL to the trusted URI list.
- Open Firefox
- Type “about:config” in the address bar and accept the warning message
- Edit the “network.automatic-ntlm-auth.trusted-uris” property and add your app URL “http://my-app”
- Click OK
If you followed all the steps detailed above you will probably have set up your Apache server to authenticate with AD windows servers using NTLMv1 protocol. However, it’s fair to say that it is not a good practice to disable Windows 7 default security when it comes to use NTLMv2 instead of v1. So use it under your own responsability.
Although I haven’t had the chance to test it, theres a new alternative implemented as a Python module which does the same thing as Apache:AuthenNTLM and can be used with any NTLM version. If anyone has the chance to test it, any comments or feedback is appreaciated.