Community Documentation

NTLM authentication

Last updated November 2, 2012. Created by mahendra on January 14, 2006.
Edited by skessler, richardhayward, Amazon. Log in to edit this page.

NTLM is a proprietary (and not so good) protocol for deploying Single Sign On in predominantly Windows oriented networks (our company network also). NTLM sits on top of HTTP, so users who are logged on to the Windows Active Directory network can transparently log-on to web services using their Microsoft Windows credentials (and thereby having Single Sign On). Getting IIS servers working with NTLM is easy (it should be), but traditionaly Apache servers have had problems in doing this.

This document explains how to get NTLM authentication working in Drupal in Linux + Apache boxes.

There are various methods for getting NTLM authentication working in Apache.

  • mod_ntlm - This is an Apache module which will add NTLM support to Apache. However, this module is not very actively maintained, and getting it compiled and running in various Apache versions ( and various distributions ) is a herculean task. To top it, the compilation throws out a lot of warnings, and one tends to feel uncomfortable with it.
  • mod_ntlm_winbind - for boxes that have Winbind ( 1, 2 ) configured, this module can be configured to provide NTLM authentication for Apache. However, this module is still under development and is not well tested.

However, for the help of people working in such unfriendly conditions, there is an excellent perl module that provides good support for NTLM authentication.

Follow the steps given below for getting NTLM authentication working.

  1. Install/Configure mod_perl under Apache - (and get it working of-course)
  2. Download the following files for doing NTLM authentication (the following files worked for us)
  3. Install the module
    tar xvfz Apache*AuthenNTLM*.tgz
    cd Apache*AuthenNTLM*
    perl Makefile.PL
    make
    make test
    make install
  4. Edit the Apache configuration and enable KeepAlive
    KeepAlive On

    Restart your Apache server.
  5. Configure apache to do the authentication. For eg in .htaccess add.
    # Enable the Authentication module
    PerlAuthenHandler Apache2::AuthenNTLM

    # Do NTLM and basic authentication
    AuthType ntlm,basic

    # The name that should be displayed in the Auth box, if NTLM fails
    AuthName OurCompany

    # Ask for a valid user.
    require valid-user

    #                    domain      pdc         bdc
    # Domain : Your windows domain
    # pdc : Primary Domain Controller
    # bdc : Backup Domain controller.
    #
    # Note : Multiple domains can be specified.

    PerlAddVar ntdomain  "OURDOMAIN  domainpdc domainsdc"

    # What should be the default domain
    PerlSetVar defaultdomain OURDOMAIN

    # The user names are in the form "OURDOMAIN\user_name". Let us split it.
    PerlSetVar splitdomainprefix 1

    # Set the debug variables
    PerlSetVar ntlmdebug 0
    PerlSetVar ntlmauthoritative off

    More documentation is available in the accompanying README file in the tarball or the following link

    Once this is done, the domain user is populated as REMOTE_USER in the http server variables, which can be picked up by any application for doing authentication.

  6. Now we need to enable Drupal to pick up this user id and automatically create a user. Once we have NTLM authentication working, the user id is available as REMOTE_USER. The WebServer Auth module can use this variable to automatically log the user in.

    Download, install, enable and configure the Webserver auth module and you should have a Drupal setup which can seamlessly integrate into Windows AD based networks.

Login or register to post comments

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.

Comments

Apache hangs up after refresh page many times quickly

Posted by karajanlee on July 1, 2010 at 8:09am

I am using Apache2::AuthenNTLM 0.2 doing authentication with Windows AD on Linux server for our intranet. And I got feedbacks that the httpd server hangs up randomly very often. It can be reproduced by refreshing a page many times very quickly. After digging into the code of AuthenNTLM.pm and hundreds of tests that indicates it is not apache, php, network or server fault, I found the problem. This happens when the module wants to destroy the sephamore when the server is busy. The author was using

sub DESTROY
{
......
$self->{sem}->op(0, -1, SEM_UNDO);
......
}

I do not know why it will hang up. After I changed it to
sub DESTROY
{
......
$self->{sem}->remove;
......
}

It never hangs up. Hope it is helpful.

Better Fix Is...

Posted by gtwilliams on September 16, 2010 at 9:51pm

$self->{sem}->op(0, -1, IPC_NOWAIT)

You do not want the decrement to be undone when the process exits. And if, for any reason, the semaphore count is already zero when DESTROY() is called, you do not want to block until some other process increments it. You just want to return anyway.

The problem with calling remove() is that any other process waiting for the semaphore will see that as an error and fail the authentication. The user can be affected (blocked in another process/thread).

Incidentally, the lock() method just above this can be changed to this:

$self->{sem}->op(0, 0, 0, 0, 1, SEM_UNDO);

It makes no sense to "undo" waiting for the semaphore. It is correct that you want the semaphore freed, if you exit without explicitly doing so.

Support for NTLM2 (PyAuthenNTLM2)

Posted by legrandin on January 1, 2012 at 11:42am

I have used AuthenNTLM for a long time, but recently I discovered that it does not work for clients that run Windows Vista or any other more recent MS OS (Windows 7, Windows 2008, and so forth) because the default protocol switched from NTLMv1 to NTLMv2. Such setting is pretty well hidden and it can only be changed if one has admin rights, but it's fair to say that NTLMv2 is way more secure than NTLMv1, so any reason for killing NTLMv1 is a good one.

Unfortunately, AuthenNTLM is not actively maintained and to me it did not seem very easy to make it work with NTLMv2.

I have therefore created a new Apache module that does exactly the same thing, but works with any NTLM version. You can find it here: http://github.com/Legrandin/PyAuthenNTLM2 .

It's based on Python rather than Perl, and it can still be used by a machine that does not belong to the Windows domain. Any feedback is appreciated.

Apache conf?

Posted by hdlverde on May 10, 2013 at 10:20am

Hi legrandin, thanks for the great work on PyAuthenNTLM2..
Im trying to setup ldap_sso on D7 as explained here

How did you setup your Apache conf?

Im not able to authenticate setting the location tag on /user/login/sso..

Page status

Needs technical review

Log in to edit this page

About this page

Drupal version
Drupal 4.6.x, Drupal 4.7.x
Drupal’s online documentation is © 2000-2013 by the individual contributors and can be used in accordance with the Creative Commons License, Attribution-ShareAlike 2.0. PHP code is distributed under the GNU General Public License. Comments on documentation pages are used to improve content and then deleted.
nobody click here