Home » Getting Started » Core modules » User: access and management settings » User authentication

NTLM Authentication

·
Last modified: January 15, 2006 - 02:14

NTLM is a proprietary (and not so good) protocol for deploying Single Sign On in predominantly Windows oriented networks (our company network also). NTLM sits on top of HTTP, so users who are logged on to the Windows Active Directory network can transparently log-on to web services using their Microsoft Windows credentials (and thereby having Single Sign On). Getting IIS servers working with NTLM is easy (it should be), but traditionaly Apache servers have had problems in doing this.

This document explains how to get NTLM authentication working in Drupal in Linux + Apache boxes.

There are various methods for getting NTLM authentication working in Apache.

  • mod_ntlm - This is an Apache module which will add NTLM support to Apache. However, this module is not very actively maintained, and getting it compiled and running in various Apache versions ( and various distributions ) is a herculean task. To top it, the compilation throws out a lot of warnings, and one tends to feel uncomfortable with it.
  • mod_ntlm_winbind - for boxes that have Winbind ( 1, 2 ) configured, this module can be configured to provide NTLM authentication for Apache. However, this module is still under development and is not well tested.

However, for the help of people working in such unfriendly conditions, there is an excellent perl module that provides good support for NTLM authentication.

Follow the steps given below for getting NTLM authentication working.

  1. Install/Configure mod_perl under Apache - (and get it working of-course)
  2. Download the following files for doing NTLM authentication (the following files worked for us)
  • Install the module
    tar xvfz Apache*AuthenNTLM*.tgz
    cd Apache*AuthenNTLM*
    perl Makefile.PL
    make
    make test
    make install
  • Edit the Apache configuration and enable KeepAlive
    KeepAlive On

    Restart your Apache server.
  • Configure apache to do the authentication. For eg in .htaccess add.
    # Enable the Authentication module
    PerlAuthenHandler Apache2::AuthenNTLM

    # Do NTLM and basic authentication
    AuthType ntlm,basic

    # The name that should be displayed in the Auth box, if NTLM fails
    AuthName OurCompany

    # Ask for a valid user.
    require valid-user

    #                    domain      pdc         bdc
    # Domain : Your windows domain
    # pdc : Primary Domain Controller
    # bdc : Backup Domain controller.
    #
    # Note : Multiple domains can be specified.

    PerlAddVar ntdomain  "OURDOMAIN  domainpdc domainsdc"

    # What should be the default domain
    PerlSetVar defaultdomain OURDOMAIN

    # The user names are in the form "OURDOMAIN\user_name". Let us split it.
    PerlSetVar splitdomainprefix 1

    # Set the debug variables
    PerlSetVar ntlmdebug 0
    PerlSetVar ntlmauthoritative off

    • More documentation is available in the accompanying README file in the tarball or the following link

    Once this is done, the domain user is populated as REMOTE_USER in the http server variables, which can be picked up by any application for doing authentication.

  • Now we need to enable Drupal to pick up this user id and automatically create a user. Once we have NTLM authentication working, the user id is available as REMOTE_USER. The WebServer Auth module can use this variable to automatically log the user in.

    Download, install, enable and configure the Webserver auth module and you should have a Drupal setup which can seamlessly integrate into Windows AD based networks.

    • ‹ Make a Drupal site use Basic Auth/ldap instead of the normal login blockupUser preferences and profiles ›
    » Login or register to post comments
     
     

    Drupal is a registered trademark of Dries Buytaert.