Firefox fails to pass ntlm to apache2 running authenntlm on Centos 5.1

apache-2.2firefoxntlmsingle-sign-on

We are trying to get an application server that is running apache2 on centos 5.1 to use NTLM to provide SSO to a number of applications.

We can get SSO to work with IE, however SSO fails with firefox. We have updated the NTLM trust entry in about:config in firefox. However this still fails.

Our current apache config looks like this:

Alias /someapp "/opt/someapp/public"

<Directory "/opt/someapp/public/">
   PerlAuthenHandler Apache2::AuthenNTLM
   AuthType ntlm,basic
   AuthName Basic
   require valid-user
   PerlAddVar ntdomain "MYDOMAIN primayad backupad"
   PerlSetVar defaultdomain MYDOMAIN
   PerlSetVar fallbackdomain MYDOMAIN
   PerlSetVar splitdomainprefix  1
   AllowOverride All
   Order allow,deny
   Allow from all
   PerlSetVar ntlmdebug 3
   #PerlSetVar ntlmauthoritative off
   PerlsetVar basicauth off
</Directory>

Any ideas why this would work for IE, but firefox gets a dialog box prompting for user authentication??

Thanks,

Grant

Best Answer

That is because by default IE does global NTLM authentication, Firefox went the other way and only attempts NTLM authentication when it is explicitly configured to do so and otherwise ignores SPNEGO challenges.

You need to open about:config in Firefox and filter to find network.automatic-ntlm-auth.trusted-uris which by default will have no values. You need to put in hostnames that match the hosts you want to perform NTLM authentication. I've read other sites that suggest putting fully qualified URLs but I've been fine using .domain.example.com for our internal Active Directory domain controlled hosts.

One caveat is that this will work for Firefox on a Windows machine but I have not had it succeed on a Linux machine even with it being joined to the AD domain as a member.

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

I recently struggled with the same problem on my Fedora 10 system. In my case the culprit was some odd redirection that I was doing in Apache. Specifically, I use a content management system (Drupal, to be exact) that within it's .htaccess includes the following redirection logic to redirect missing files to a PHP script:

# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

It makes sense that the above only affects the PUT method since in that case REQUEST_FILENAME does not exist.

Not having the WebDAV area inside of the Drupal area, which seems like a reasonable constraint, fixes the problem.

Also, I think it is likely that SELinux would result in a different error, but it's not mentioned in the discussion above. Did you try disabling SELinux?

Apache2::AuthenNTLM connects to Domain controller but does not authenticate

You do not say which sort of client you use, but once I experienced the same behavior, and it turned out to be related to the new default NTLM client settings in Windows 7.

Older versions of Windows use NTLMv1. Since NTLMv1 can be cracked in minutes, Microsoft has switched to NTLMv2 in Vista. Unfortunately, AuthenNTLM is quite old and unmaintained and it won't correctly relay the new NTLM messages to and from the Active Domain controller. The slightly surprising part was that it did not actually matter what browser I used: all (IExplorer, Firefox, Chrome) apparently used the OS facilities to handle the NTLM messages...

The solution for me was to write from scratch PyAuthenNTLM2 (another module for Apache), because the server was not part of the domain and AuthenNTLM was the only option (modntlm would simply not compile). PyAuthenNTLM2 handles both NTLMv1 and NTLMv2, but is based on mod-python, not on Perl.

Several sites on the web suggest to tweak a (fairly well hidden) security setting in the client OS so that the old NTLMv1 will be used, but I would steer away from that. NTLMv1 is simply totally insecure by today's standards.

Best Answer

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

Apache2::AuthenNTLM connects to Domain controller but does not authenticate

Related Topic