Apache with NTLM

Server Config
1

I expected to get some variables like

  1. in the headers - AUTH_NAME
  2. in PHP: $_SERVER[‘HTTP_AUTHORIZATION’]

Both are not visible, what do I change in the server (managed by myself) to get one of these variables available?

I want to use NTLM to sign the user right in, in an intranet. What approach should I take?

2

As far as I know you can’t use PHP to “hook into” Apache NTLM. If you want to use NTLM with PHP, you have to do everything in PHP.

For example, see here http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/

3

I’ve used the class, but the situation is still the same.


$auth_header = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] : null;
	if ($auth_header == null && function_exists('apache_request_headers')) {
		$headers = apache_request_headers();
		$auth_header = isset($headers['Authorization']) ? $headers['Authorization'] : null;
	}

	if (isset($_SESSION['_ntlm_auth']))
		return $_SESSION['_ntlm_auth'];

	if (!$auth_header) {
		header('HTTP/1.1 401 Unauthorized');
		header('WWW-Authenticate: NTLM');
		print $failmsg;
		exit;
	}

I get a prompt for username and password (which I do not want anyway) It always falls in the if(!$auth_header), although I follow the example exactly. Why can’t I just get the username from windows?

It cannot find the headers, it cannot find the $_SERVER variable. Although I added the domain to the safe zone.
Does my server need something extra, why are those variables not available? Do I need to do anything in windows to get those variables?

4

It does say on http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/ that you need to have php running as an apache module, do you have that?

Also, how did you it before? Did you use the apache module for ntlm? Did that work?

If so, you could do a var_dump($_SERVER); to see if there are any variables set.
or var_dump($GLOBALS); it may be that Apache put it in the environment and not in the server.

5

How do I check if php is running as an apache module? I’m not sure about that.
And I didn’t do it before, it’s a new thing I have to create inside an intranet where I delivered a piece of php software for, this is just the next step. I’ve read about the apache ntlm module that it just isn’t any good, didn’t check that myself.

This is the result of the print_r’s


Array
 (
 [HTTP_ACCEPT] => */*
 [HTTP_ACCEPT_LANGUAGE] => nl
 [HTTP_USER_AGENT] => Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
 [HTTP_ACCEPT_ENCODING] => gzip, deflate
 [HTTP_HOST] => xxxxxx.local
 [HTTP_CONNECTION] => Keep-Alive
 [HTTP_COOKIE] => code=b772297392c6202611e55ad9cd9e9160; username=admin; PHPSESSID=q43euegjr0pgk7ql8ltt59fhe4m491cf
 [PATH] => /usr/sbin:/bin:/usr/bin:/sbin
 [SERVER_SIGNATURE] => <address>Apache/2.2.10 (Linux/SUSE) Server at xxxxxx.local Port 80</address>

 [SERVER_SOFTWARE] => Apache/2.2.10 (Linux/SUSE)
 [SERVER_NAME] => xxxxxx.local
 [SERVER_ADDR] => 172.19.2.31
 [SERVER_PORT] => 80
 [REMOTE_ADDR] => 172.19.12.254
 [DOCUMENT_ROOT] => /srv/www/htdocs
 [SERVER_ADMIN] => [no address given]
 [SCRIPT_FILENAME] => /srv/www/htdocs/test.php
 [REMOTE_PORT] => 4274
 [GATEWAY_INTERFACE] => CGI/1.1
 [SERVER_PROTOCOL] => HTTP/1.1
 [REQUEST_METHOD] => GET
 [QUERY_STRING] =>
 [REQUEST_URI] => /test.php
 [SCRIPT_NAME] => /test.php
 [PHP_SELF] => /test.php
 [REQUEST_TIME] => 1318942853
 )
6

What is the output of


var_dump( function_exists('apache_request_headers') );

on your system?

7 
bool(true)

and its contents


Array
(
    [Accept] => */*
    [Accept-Language] => nl
    [User-Agent] => Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
    [Accept-Encoding] => gzip, deflate
    [Host] => xxxxx.local
    [Connection] => Keep-Alive
    [Cookie] => code=b772297392c6202611e55ad9cd9e9160; username=admin; PHPSESSID=q43euegjr0pgk7ql8ltt59fhe4m491cf
)
8

Looks like it’s not passing the NTLM data. Please have a look at http://www.nateirwin.net/2007/01/19/enabling-ntlm-authentication-in-firefox-and-internet-explorer/

9

I already did that and just checked it again, It doesn’t seem to have any effect.

we’re talking IE8 here by the way
Also tested in Firefox 7

they both give no new variables. Is there something needed on windows level?

the result of php_sapi_name() is: apache2handler

10

You may also find this interesting: http://www.ilient.com/Sysforums/posts/list/2159.page

especially

We have investigated the issue and found a solution that you can use to enable SSO on windows 7 systems.
To do it, please go to Local Security policy > Security settings > local policies > security options
Select Network security > Lan manager Authentication level and change it to “Send LM & NTLM responses”

(this is for win7 btw, I don’t know if you’re on that?)

PS. Don’t you just love this “security”? Just hide everything deep deep down in the OS so no one can find it and then we’ll call it secure.
Sure it’s secure (maybe), but it’s no longer usable, which is also pretty important! sigh </rant>

11

lol, well it’s windows XP.

I actually saw that page and found this one in the end.

I followed these steps:

Step 1 Log into the machine as an administrator.
Step 2 Click Start, then Control Panel, then Administrative Tools.
Step 3 In the left-hand pane, expand the ‘Local Policies’ tree, and click on ‘Security Options’
Step 4 In the right-hand pane, scroll down to ‘Network Security: LAN Manger Authentication Level’ and double-click it.
Step 5 A dialog with a drop-down box will appear. Select ‘Send LM & NTLM – use NTLMv2 session security if negotiated.’
Step 6 Click ‘Ok

logged off, logged on, everything using RDP by the way, nothing changes in my variables. What should I expect to happen?

That AUTH_NAME or $_SERVER[‘HTTP_AUTHORIZATION’] should come up?

12

From what I understand the array you get when calling apache_request_headers() should have a key Authorization

You may want to restart the computer completely btw if you can, some things don’t work when you just log off/log on

(Windows has detected you moved your mouse, please restart the system for the changes to take effect. Do you want to restart now?)

13

I believe it’s a virtual desktop created by Novel, I’m not able to restart the pc.

These are the only steps I can take? Is there something I can still do on the server side, or is everything setup correctly?

14

as far as i understand the server doesn’t habe to do anything. it’s up to the client to send the info. do you maybe have another client you could test this with, just to see if the principle works?

15

I believe I need something like mod_ntlm
http://sivel.net/2007/10/sso-apache-ad-2/
http://modntlm.sourceforge.net/

16

Yup, you could try those, although I still think the problem lies with the client. Not sure though.
Maybe you can install a network sniffer on the client to see what HTTP headers it’s sending to the server in the HTTP request? It should contain NTLM data in there, if not, that’s the problem.

See http://www.innovation.ch/personal/ronald/ntlm.html for what’s supposed to happen

Off Topic:

love this sentence in that article:

Also note that this scheme is not an http authentication scheme - it’s a connection authentication scheme which happens to (mis-)use http status codes and headers (and even those incorrectly).

so NTLM is a classic M$ let’s pile some crap on some other crap, wrap it in duct tape, and pray it works kind of thing (like SMB, or the initial MSN messenger)

17

This clarified something for me. You first need to send the WWW-Authenticate: NTLM header before it responds with those!


   1: C  --> S   GET ...

    2: C <--  S   401 Unauthorized
                  WWW-Authenticate: NTLM

    3: C  --> S   GET ...
                  Authorization: NTLM <base64-encoded type-1-message>

    4: C <--  S   401 Unauthorized
                  WWW-Authenticate: NTLM <base64-encoded type-2-message>

    5: C  --> S   GET ...
                  Authorization: NTLM <base64-encoded type-3-message>

    6: C <--  S   200 Ok

I need to send an NTLM request first. So now I have this (without installing the above module): I can get the username in my script. But it always says

$auth['authorized'] == false

I’m not sure when and how it should put this to true, since the test script is clearly taking the correct login details.

When ignoring this variable. How do I get to know if this user is actually granted persmission through LDAP? I don’t have a password at all!

18

Should I get the password through ntlm at all?

19

You followed/used this script: http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/ ?

if so, make sure you do this correctly:

You need to provide your own implementation of the callback function get_ntlm_user_hash($user) which should return the MD4/Unicode hashed password of the requested $user. You can get that by doing mhash(MHASH_MD4, ntlm_utf8_to_utf16le(“password”)). You also need session_start() as the script needs to persist challenge information across http requests.

The function provided is just a mock example, you need to write your own.
As a start I would put the username and password your testing against in that array (the $userdb array, which is in the format username=>password)

20

yup