Apache2 NTLM Authentication on specific URL

apache-2.2directoryntlmsingle-sign-on

I have a problem.
I'm using Legrandin's NTLM Authentication Module PyAuthenNTLM2 with my Apache2 server.
It really works well and it was easy to install. I recommend it to everybody.

The authentication works perfectly fine. But I have a problem once POST-Requests are sent.
Everytime a POST is sent to the server, IE's annoying credentials prompt keeps appearing.
Even though I checked "Remember my Credentials". This is how I have it configured right now:

<Directory /var/www/>
            AuthType NTLM
            AuthName DOMAIN
            require valid-user

            PythonAuthenHandler pyntlm
            PythonOption Domain DOMAIN
            PythonOption PDC 123.45.67.89
            PythonOption BDC 123.45.67.89

            Options Indexes FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            allow from all
</Directory>

My question to you guys:

Is it possible to do the authentication only on one single URL?

For example: If a user access my page for the first time, the URL will be: http://domain.com/custom/login. This URL doesn't represent the directory though. It's just a controller of the Zend Framework.

Is this possible?

Best Answer

What you're looking to do is use the <Location> container, which maps URLs to options, like:

<Location /custom/login>
    ... options ...
</Location>

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

I recently struggled with the same problem on my Fedora 10 system. In my case the culprit was some odd redirection that I was doing in Apache. Specifically, I use a content management system (Drupal, to be exact) that within it's .htaccess includes the following redirection logic to redirect missing files to a PHP script:

# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

It makes sense that the above only affects the PUT method since in that case REQUEST_FILENAME does not exist.

Not having the WebDAV area inside of the Drupal area, which seems like a reasonable constraint, fixes the problem.

Also, I think it is likely that SELinux would result in a different error, but it's not mentioned in the discussion above. Did you try disabling SELinux?

How to investigate windows network lockouts related to Outlook Exchange Server authentication

We had issues with account lockouts in a large org I worked for in the past.

What I did (as a member of the IT org) was to build a script which sat on the PDC (now PDC emulator). Whenever an account is locked out, this domain controller registers an Event ID # 644 (4740 on Windows Server 2008) in the Security log. The event also includes the name of the client machine which attempted the last logon with improper password. So my script polled the Security Log every 5 minutes and posted this data to a web page which was accessible to the Help Desk.

Once we had this, it was a trivial matter to change Help Desk's workflow to check that page whenever they got an account lockout issue, then help the user discover what it was on that machine which had caused the lockout. As you note in your blog article, the culprit is usually some second machine where the user had forgotten that they were logged on when they changed their password from their primary machine. Usually that second machine would be running Outlook, or have a drive mapped via the user's (now out of date) credentials.

And when Help Desk had lulls in their day, they could proactively check this web page and resolve issues for people who didn't yet know they'd been victims of account lockout.

If there is interest in this script, I could dig it out, dust it off, and post it here.

Related Topic