I succesfully configured ntlm authentication. Unfortunately config allows semi basic authorization. For example when I'm using tortoise svn1.8.4(with serf access lib), chrome or IE web browsers, they authenticate NTLM succesfully without prompting anything. In log file I see authenticated users. Unfortunately when I'm using for example unconfigured FireFox or Maxthon, that browserws prompts me for credentials. I don't need this, because the same situation is when I'm trying access from out of domain computer.
I'm using windows server as domain controller, windows7/8 as system client, linux/debian as web server. I configured kerberos from linux do windows AD, winbind for local NTLM authentication and apache 2.2 series.
For apache authentication glue I use mod_auth_ntlm_winbind.so apache2 module, and under directory/location config ntlm helper for communicate with winbind. This works properly,
example for apache:
<Directory /var/www/>
#defaults for main www directory
Options Indexes FollowSymLinks MultiViews
AllowOverride None
#modified, prevent for any ip access, for future add authless access from specified hosts
Order deny,allow
deny from all
#allow from IP/mask
#settings for NTLM auth with winbind helper
AuthName "NTLM Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --domain=MY.WINDOWS.DOMAIN --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
#because ip is default deny
satisfy any
</Directory>
I hoped, maybe I can do some redirection using apache authtype variable, then I added to config above rewritting:
RewriteEngine on
RewriteRule ^ /cgi-bin/TestAuth.pl?DollarOne=1&AUTH_TYPE=%{AUTH_TYPE}&REMOTE_USER=%{REMOTE_USER}
And example script TestAuth.pl as cgi content:
#!/usr/bin/perl
use strict;
use warnings;
use Data::Dumper; #easy way for print system variables
print "Content-type:text/plain\r\n"; #respectint HTML protocol
print "\r\n";
print "Enviroment contains:\r\n";
print "x\r\n";
print Data::Dumper->Dump([\@ARGV,\%ENV],[qw(ARGV ENV)]); #prints all script arguments and process variables
Unfortunately in all cases, with windows based auth ntlm and prompted credential, I allways see AUTH_TYPE is allways NTLM. Then there is no way to recognize what browser does.
In that situation I can access from clients out of domain.
I tryed wrap ntlm hepler by strace. Unfortunately I don't see anythink important in its dump with four way combining success/failed auth and access by IE non prompted ant FF prompted. I think the same situation occurs when ntlm helper authenticates to local samba server, but I never tested this.
Now I'm trying do some config with multiple auth type, Basic and NTLM. I try do Basic first and filter out this with allways fail and redirect it to info page. Unfortunately at now without success with NTLM mix 🙁 NTLM is allways done first.
Then anybody have an idea how to prevent credentials prompting? How to revoke access from prompted clients? How to recognize credentials are from prompt or from windows client api?
Best Answer
Using NTLM authentication doesn't guarantee a credential-less login. If you have valid windows credentials that the server can recognize, you won't get a password prompt.
If the user doesn't have valid NTLM pass-through credentials, they will be prompted to provide them. It is no way reverting to 'basic' authentication.
Unfortunately, there is no way to tell if a user provided the credentials or if they were passed-through by the system.
Perhaps ask a new question outlining what you want your users to experience (ie different sites for internal and external users) and someone may be able to help in a different way.