FW: NTLM module and POST
I know it has been a while since this thread was active but I am also
having the problem with posted variables being losed it is also
consistant with the problems below - ie if I wait 15 sec (keepalive
setting) then the variable are posted ok.
I took the script that you posted (which I have included again below )
I could recreate the problem with this script.
Have tested this on IE 5.50.4522 which is running on Windows 2000
Terminal Server and
IE 5.50.4522 which is running on Windows 2000
Professional.
I do not have the problem Mozilla or Netscape.
Regards,
Adam Kaye-Smith
#!/usr/bin/perl=0A=
=0A=
use CGI ;=0A=
my $q =3D new CGI ;=0A=
=0A=
print content-type: text/html\n\n ;=0A=
=0A=
print q{=0A=
html=0A=
body=0A=
=0A=
} ;=0A=
=0A=
foreach ($q - param)=0A=
{=0A=
print tabletrtd, $_, /tdtd, $q - param($_),=0A=
/td/tr ;=0A=
}=0A=
=0A=
print q{=0A=
/table=0A=
=0A=
form method=3Dpost=0A=
=0A=
foo: input type=3Dtext name=3Dfoobr=0A=
bar: input type=3Dtext name=3Dbarbr=0A=
=0A=
input type=3Dsubmit=0A=
=0A=
/form=0A=
/body=0A=
/html=0A=
} ;=0A=
=0A=
=0A=
This is a multi-part message in MIME format.
--=_NextPart_000_00E1_01C25D4A.934C4F10
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: 7bit
So doing two POST's shortly after each other fails. Does this fail
everytime
or only sometimes?
Everytime. I have tested this again again and each time I try to
POST
within 15 seconds of making *any* other request (POST or not) I loose
the
POST data. I checked the apache config and sure enough the
KeepAliveTimeout
is set to 15.
I still don't get the problem here...
You you try the attached very simple form. Do you get the same error
when
you POST this form? If not, try to find out what is different with your
form.
Gerald
The information in this e-mail together with any attachments is
intended only for the person or entity to which it is addressed
and may contain confidential and/or privileged material.
Any form of review, disclosure, modification, distribution
and/or publication of this e-mail message is prohibited.
If you have received this message in error, you are asked to
inform the sender as quickly as possible and delete this message
and any copies of this message from your computer and/or your
computer system network.
Re: NTLM module and POST
Hello Gerald,
I know it has been a while since this thread was active but I am also
having the problem with posted variables being losed it is also
consistant with the problems below - ie if I wait 15 sec (keepalive
setting) then the variable are posted ok.
I took the script that you posted (which I have included again below )
I could recreate the problem with this script.
Have tested this on IE 5.50.4522 which is running on Windows 2000
Terminal Server and
IE 5.50.4522 which is running on Windows 2000
Professional.
I do not have the problem Mozilla or Netscape.
Regards,
Adam Kaye-Smith
#!/usr/bin/perl=0A=
=0A=
use CGI ;=0A=
my $q =3D new CGI ;=0A=
=0A=
print content-type: text/html\n\n ;=0A=
=0A=
print q{=0A=
html=0A=
body=0A=
=0A=
} ;=0A=
=0A=
foreach ($q - param)=0A=
{=0A=
print tabletrtd, $_, /tdtd, $q - param($_),=0A=
/td/tr ;=0A=
}=0A=
=0A=
print q{=0A=
/table=0A=
=0A=
form method=3Dpost=0A=
=0A=
foo: input type=3Dtext name=3Dfoobr=0A=
bar: input type=3Dtext name=3Dbarbr=0A=
=0A=
input type=3Dsubmit=0A=
=0A=
/form=0A=
/body=0A=
/html=0A=
} ;=0A=
=0A=
=0A=
This is a multi-part message in MIME format.
--=_NextPart_000_00E1_01C25D4A.934C4F10
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: 7bit
So doing two POST's shortly after each other fails. Does this fail
everytime
or only sometimes?
Everytime. I have tested this again again and each time I try to
POST
within 15 seconds of making *any* other request (POST or not) I loose
the
POST data. I checked the apache config and sure enough the
KeepAliveTimeout
is set to 15.
I still don't get the problem here...
You you try the attached very simple form. Do you get the same error
when
you POST this form? If not, try to find out what is different with your
form.
Gerald
The information in this e-mail together with any attachments is
intended only for the person or entity to which it is addressed
and may contain confidential and/or privileged material.
Any form of review, disclosure, modification, distribution
and/or publication of this e-mail message is prohibited.
If you have received this message in error, you are asked to
inform the sender as quickly as possible and delete this message
and any copies of this message from your computer and/or your
computer system network.
Re: NTLM module and POST
Hi Gerald, I have been having exactly the same problems. My set up is: IE 5.5, SP2 (I also have tried with IE6 -same problem) NT 4.0 SP6 Webserver: Apache 1.3.26 running on solaris 8. At first I was using Apache::AuthenNTLM 0.14 and I couldn't get any POSTs to go through, after I upgraded to 0.21 about 1 in 5 POSTs fail. I did read somewhere that IE doesn't handle POST in certain circumstances under http/1.1, however trying to force a downgrade to 1.0 causes the request to hang when AuthenNTLM tries to send back the NTLM header. Unfornately this machine is trapped behind a firewall so I cant set up an environment for you to repoduce the error, however If you need any further info I'd be happy to help. Thanks for your help (and a promising module ;) ), Mark -- Mark Holland [EMAIL PROTECTED] http://www.thinkfoo.com/
RE: NTLM module
Title: RE: NTLM module True, it will be awesome if it can be fixed. But to get Adam going he can implement some sort of Sessions (which he already has), use $r-headers_out-set(Connection = 'close'); (to force a new connection), and a whole lot of duct tape. I think I may tweak that patch I sent you to be able to add in any type of session state maintaining modules (Cookies, Apache::Session, etc). I am looking forward to your feedback. Do you know if this is still an issue with Apache 2.0? I was planning on trying it to see what happens but haven't gotten a box setup with Apache 2.0 and mod_perl yet. Joseph -Original Message- From: Gerald Richter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 11, 2002 12:29 AM To: Harnish, Joe; 'Kaye-Smith Adam' Cc: [EMAIL PROTECTED] Subject: Re: NTLM module RE: NTLM moduleI am not sure if you have resolved this issue. The POST issuse is still on my todo list I have had the same issue with our system where post data would dissappear. I ended up creating a Cookie add on module for Apache::AuthenNTLM that would write a cookie once authenticated and use that before re-authenticating them. This allowed me to lower the keepalive timeout setting and has almost completely eliminated this loss of data. Since it works with IIS, there should be an offical way to do it. I have to investigate it. I created it for a semi friendly environment so the security is somewhat lacking. That's the reason why I didn't included your patch so far in AuthenNTLM, but I have to go over it more in detail and will send you an feedback then. Gerald - Gerald Richter ecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 WWW: http://www.ecos.de Fax: +49 6133 925152 -
Re: NTLM module and POST
RE: NTLM moduleHi, I just tried AuthenNTLM and POST and it works for me. I would like to be able to reproduce the problem here to create the right fix. I am using IE 5.5SP2. Does the POST problem occurs always or only sometime or only with some browsers or OSs? Gerald P.S. Adding some kind of Cookie Based Auth to save the way to the smb server for every new connection might make sense, but first I like to get the POST working without haveing to close the keepAlive connection. - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 -
RE: NTLM module
Title: RE: NTLM module Adam, I am not sure if you have resolved this issue. I have had the same issue with our system where post data would dissappear. I ended up creating a Cookie add on module for Apache::AuthenNTLM that would write a cookie once authenticated and use that before re-authenticating them. This allowed me to lower the keepalive timeout setting and has almost completely eliminated this loss of data. I created it for a semi friendly environment so the security is somewhat lacking. If you would like to take a look at it I can send you the code. I have not tried the latest version of AuthenNTLM yet. But it should still work. Joseph Harnish -Original Message- From: Kaye-Smith Adam [mailto:[EMAIL PROTECTED]] Sent: Monday, September 02, 2002 9:48 PM To: Gerald Richter Cc: [EMAIL PROTECTED] Subject: RE: NTLM module Hello Gerald, I believe I am on top of my issues with NTLM. Everything seems to work fine when httpd is in single user mode as the 1 process has an understanding of what has been authenticated before hand whethor it needs to re-authenticate subsequent requests from the same browser/user. ie with the request for one page there may be many items that need to be sent by the server (images, html,etc). When we go to several httpd process, it appears that the response to one request from a browser which may be made up of many files that need to be sent back, these requests can be handled by any of the http processes (which is ok by itself ) but when this occurs, a password request(and perhaps an SMB query) is made for each of the httpd process. The httpd processes appear to operate independently of each other, unless the browser sends all its requests down the 1 tcp channel. I have started to add to the code to log authentications to disc, so that each httpd process can also reference this disc file to verify if it has authenticated a user beforehand from another process. I hope I am going about this the right way.. My more immediate problem is that I am currently losing the contents of posted variables in a request packet whenever I use the AuthenNTLM module, but when I choose to use the standard mod_auth, my posted variables get through everytime. This problem occured with the AuthenNTLM code without any alterations. This problem is also intermittant. 4 out of 5 time the problem will occur. By inserting the line at the top of handler sub ' $printme = $r - content ' I can see the posted variables get though to the perl module . Any ideas Thanks Adam The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network.
Re: NTLM module
RE: NTLM moduleI am not sure if you have resolved this issue. The POST issuse is still on my todo list I have had the same issue with our system where post data would dissappear. I ended up creating a Cookie add on module for Apache::AuthenNTLM that would write a cookie once authenticated and use that before re-authenticating them. This allowed me to lower the keepalive timeout setting and has almost completely eliminated this loss of data. Since it works with IIS, there should be an offical way to do it. I have to investigate it. I created it for a semi friendly environment so the security is somewhat lacking. That's the reason why I didn't included your patch so far in AuthenNTLM, but I have to go over it more in detail and will send you an feedback then. Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 -
Re: NTLM module
When we go to several httpd process, it appears that the response to one request from a browser which may be made up of many files that need to be sent back, these requests can be handled by any of the http processes (which is ok by itself ) but when this occurs, a password request(and perhaps an SMB query) is made for each of the httpd process. Exactly one SMB query for each httpd process per KeepAlive Connection (which can serve many requests) The httpd processes appear to operate independently of each other, unless the browser sends all its requests down the 1 tcp channel. Yes, that's true. I have started to add to the code to log authentications to disc, so that each httpd process can also reference this disc file to verify if it has authenticated a user beforehand from another process. I remember there is a module called Apache::AuthenCache (or similar). I nvere have used it, but it does similar things. Maybe it would be usefull for you. I hope I am going about this the right way.. As far as I can see caching works only if you using Basic Authentication, for NTLM authetication (i.e. what IE does when it authenticates with currented logged in user automaticly) can not be cached. My more immediate problem is that I am currently losing the contents of posted variables in a request packet whenever I use the AuthenNTLM module, I have heared of a similiar problem, but I need to investigate it more, before I can say anything. Gerald P.S. A new release of Apache::AuthenNTLM will be soon available - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 -
RE: NTLM module
Hello Gerald, I believe I am on top of my issues with NTLM. Everything seems to work fine when httpd is in single user mode as the 1 process has an understanding of what has been authenticated before hand whethor it needs to re-authenticate subsequent requests from the same browser/user. ie with the request for one page there may be many items that need to be sent by the server (images, html,etc). When we go to several httpd process, it appears that the response to one request from a browser which may be made up of many files that need to be sent back, these requests can be handled by any of the http processes (which is ok by itself ) but when this occurs, a password request(and perhaps an SMB query) is made for each of the httpd process. The httpd processes appear to operate independently of each other, unless the browser sends all its requests down the 1 tcp channel. I have started to add to the code to log authentications to disc, so that each httpd process can also reference this disc file to verify if it has authenticated a user beforehand from another process. I hope I am going about this the right way.. My more immediate problem is that I am currently losing the contents of posted variables in a request packet whenever I use the AuthenNTLM module, but when I choose to use the standard mod_auth, my posted variables get through everytime. This problem occured with the AuthenNTLM code without any alterations. This problem is also intermittant. 4 out of 5 time the problem will occur. By inserting the line at the top of handler sub ' $printme = $r - content ' I can see the posted variables get though to the perl module . Any ideas Thanks Adam The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network.
RE: NTLM module
Hi Again, I should also mention this only happens with IE. When using Mozilla Netscape I have no problems. Adam -Original Message- From: Kaye-Smith Adam Sent: Tuesday, 3 September 2002 11:48 AM To: 'Gerald Richter' Cc: '[EMAIL PROTECTED]' Subject: RE: NTLM module Hello Gerald, I believe I am on top of my issues with NTLM. Everything seems to work fine when httpd is in single user mode as the 1 process has an understanding of what has been authenticated before hand whethor it needs to re-authenticate subsequent requests from the same browser/user. ie with the request for one page there may be many items that need to be sent by the server (images, html,etc). When we go to several httpd process, it appears that the response to one request from a browser which may be made up of many files that need to be sent back, these requests can be handled by any of the http processes (which is ok by itself ) but when this occurs, a password request(and perhaps an SMB query) is made for each of the httpd process. The httpd processes appear to operate independently of each other, unless the browser sends all its requests down the 1 tcp channel. I have started to add to the code to log authentications to disc, so that each httpd process can also reference this disc file to verify if it has authenticated a user beforehand from another process. I hope I am going about this the right way.. My more immediate problem is that I am currently losing the contents of posted variables in a request packet whenever I use the AuthenNTLM module, but when I choose to use the standard mod_auth, my posted variables get through everytime. This problem occured with the AuthenNTLM code without any alterations. This problem is also intermittant. 4 out of 5 time the problem will occur. By inserting the line at the top of handler sub ' $printme = $r - content ' I can see the posted variables get though to the perl module . Any ideas Thanks Adam The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network.
Re: NTLM module
All works fine for IE and Mozilla browsers but when I use Netscape, I am repeatedly promted for passwords. If I enter my password about 3 to 6 times I will eventually get the full page . If I enter password once, ( and cancel for any further password prompts ) I get only bit of the expected page. Maybe the requested files are in different directories? Normaly the browser will only send back the username/password to the same a or child directory. The other aspect I can not understand is that when the perl NTLM module is running, it will often exit from sub's other than the handler sub. ie the handler sub is always called first which calls other sub's but whilst executing these other sub''s , it appears that something seems to cut processing short passes control back to apache - the perl code never gets a chance to return to the handler module exit code with a 'return xx'. Apache has a timeout, so maybe you hit that and Apache itself kill your handler The other error I get is that the username/password is passed ok from the SMB server verification phase, but then in subsequent calls to the SMB server, the username/password fails - this occurs during the one entry of username/password but the SMB server is contacted several times for verification ( I also check the username password in the script before thay are submitted to the SMB server so I know they are correct.) Would this be because of timeout in the SMB to respond. Somebodyelese also reported this and I currently debugging it. It maybe releated to some problems of the underlying C library. I let you know when it is fixed. I would also expect the SMB server to only need to referred to once, but the perl module is calling the SMB module 3 times during the one username/password entry. Yes, as I said before it's a challange response cycle is taking place, which takes 3 steps Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 -
RE: NTLM module
I am still having problems with the AuthenNTLM module. All works fine for IE and Mozilla browsers but when I use Netscape, I am repeatedly promted for passwords. If I enter my password about 3 to 6 times I will eventually get the full page . If I enter password once, ( and cancel for any further password prompts ) I get only bit of the expected page. If I put a sleep (2) in the perl module before it goes to verify against the SMB server, netscape browser will work albeit somewhat slower. The other aspect I can not understand is that when the perl NTLM module is running, it will often exit from sub's other than the handler sub. ie the handler sub is always called first which calls other sub's but whilst executing these other sub''s , it appears that something seems to cut processing short passes control back to apache - the perl code never gets a chance to return to the handler module exit code with a 'return xx'. I have been observing the perl's progress by looking at entries in the error.log . I have also put in a variety of print STDERR staements at key positions to see where the code is exiting. If for instance I put a sleep command in the perl module, the code will often exit whilst the sleep is taking place - it appears that the NTLM module has run out of its allowed time and it has been cut short. The other conclusion is that multiple threads are running and outputting to the error.log confusing me with the overlapping output. This strange exiting behaviour also appears to occur on all browsers (once that work ok netscape that does not work.) The other error I get is that the username/password is passed ok from the SMB server verification phase, but then in subsequent calls to the SMB server, the username/password fails - this occurs during the one entry of username/password but the SMB server is contacted several times for verification ( I also check the username password in the script before thay are submitted to the SMB server so I know they are correct.) Would this be because of timeout in the SMB to respond. I would also expect the SMB server to only need to referred to once, but the perl module is calling the SMB module 3 times during the one username/password entry. I hope the above make sense. I can my log file if this would help. Regards Adam -Original Message- From: Kaye-Smith Adam Sent: Monday, 19 August 2002 9:15 AM To: 'Gerald Richter'; Peter Bi; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: NTLM module Thanks for your advice Gerald. I have found a compromise buy having the directive of Authtype Basic but the perl code has been changed to run the NTLM check as well as SMB (regardlesss of the config file) and if both authentications fail, the standard mod_auth code will then be run. Thanks once again. Adam The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network.
RE: NTLM module
I should add that I am using Apache 1.3, perl 5.6.1 mod_perl 1.26. my httpd.conf file for the perl_mod is as below ( I have add the first 3 lines during the cause of troubleshooting. PerlFreshRestart On PerlWarn On PerlSetEnv MOD_PERL_TRACE d; Directory /var/www/html/ # # This may also be None, All, or any combination of Indexes, # Includes, FollowSymLinks, ExecCGI, or MultiViews. # # Note that MultiViews must be named *explicitly* --- Options All # doesn't give it to you. # Options Indexes FollowSymLinks # # This controls which options the .htaccess files in directories can # override. Can also be All, or any combination of Options, FileInfo, # AuthConfig, and Limit # AllowOverride None PerlAuthenHandler +Apache::AuthenNTLM AuthUserFile /tmp/htpasswd AuthName Warning you are entering a development server!! (and AuthType basic #AuthType ntlm,basic #AuthType ntlm PerlAddVar ntdomain LANDS zeta zeta PerlSetVar ntlmauthoritative off PerlSetVar basicauthoritative off PerlSetVar defaultdomain LANDS PerlSetVar ntlmdebug 1 require valid-user # # Controls who can get stuff from this server. # Order allow,deny Allow from all /Directory Regards Adam -Original Message- From: Kaye-Smith Adam Sent: Tuesday, 20 August 2002 2:46 PM To: 'Gerald Richter'; 'Peter Bi'; '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: RE: NTLM module I am still having problems with the AuthenNTLM module. All works fine for IE and Mozilla browsers but when I use Netscape, I am repeatedly promted for passwords. If I enter my password about 3 to 6 times I will eventually get the full page . If I enter password once, ( and cancel for any further password prompts ) I get only bit of the expected page. If I put a sleep (2) in the perl module before it goes to verify against the SMB server, netscape browser will work albeit somewhat slower. The other aspect I can not understand is that when the perl NTLM module is running, it will often exit from sub's other than the handler sub. ie the handler sub is always called first which calls other sub's but whilst executing these other sub''s , it appears that something seems to cut processing short passes control back to apache - the perl code never gets a chance to return to the handler module exit code with a 'return xx'. I have been observing the perl's progress by looking at entries in the error.log . I have also put in a variety of print STDERR staements at key positions to see where the code is exiting. If for instance I put a sleep command in the perl module, the code will often exit whilst the sleep is taking place - it appears that the NTLM module has run out of its allowed time and it has been cut short. The other conclusion is that multiple threads are running and outputting to the error.log confusing me with the overlapping output. This strange exiting behaviour also appears to occur on all browsers (once that work ok netscape that does not work.) The other error I get is that the username/password is passed ok from the SMB server verification phase, but then in subsequent calls to the SMB server, the username/password fails - this occurs during the one entry of username/password but the SMB server is contacted several times for verification ( I also check the username password in the script before thay are submitted to the SMB server so I know they are correct.) Would this be because of timeout in the SMB to respond. I would also expect the SMB server to only need to referred to once, but the perl module is calling the SMB module 3 times during the one username/password entry. I hope the above make sense. I can my log file if this would help. Regards Adam -Original Message- From: Kaye-Smith Adam Sent: Monday, 19 August 2002 9:15 AM To: 'Gerald Richter'; Peter Bi; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: NTLM module Thanks for your advice Gerald. I have found a compromise buy having the directive of Authtype Basic but the perl code has been changed to run the NTLM check as well as SMB (regardlesss of the config file) and if both authentications fail, the standard mod_auth code will then be run. Thanks once again. Adam The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network.
Re: NTLM module
Adam: Netscape does behave somehow differently under the authentication. I used to have similar problem with a Perl authen module using Netscape 6 (Netscape 4.0 and 3.0 are okay, however). It looks like N6 uses more caching, and does not tolerate any departure from the httpd 1.1 definition; so one gets often the same pop-up login page instead of the redirected page. You may try to remove any caching tags and add nocache in the code. Peter - Original Message - From: Kaye-Smith Adam [EMAIL PROTECTED] To: Gerald Richter [EMAIL PROTECTED]; Peter Bi [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, August 19, 2002 9:46 PM Subject: RE: NTLM module I am still having problems with the AuthenNTLM module. All works fine for IE and Mozilla browsers but when I use Netscape, I am repeatedly promted for passwords. If I enter my password about 3 to 6 times I will eventually get the full page . If I enter password once, ( and cancel for any further password prompts ) I get only bit of the expected page. If I put a sleep (2) in the perl module before it goes to verify against the SMB server, netscape browser will work albeit somewhat slower. The other aspect I can not understand is that when the perl NTLM module is running, it will often exit from sub's other than the handler sub. ie the handler sub is always called first which calls other sub's but whilst executing these other sub''s , it appears that something seems to cut processing short passes control back to apache - the perl code never gets a chance to return to the handler module exit code with a 'return xx'. I have been observing the perl's progress by looking at entries in the error.log . I have also put in a variety of print STDERR staements at key positions to see where the code is exiting. If for instance I put a sleep command in the perl module, the code will often exit whilst the sleep is taking place - it appears that the NTLM module has run out of its allowed time and it has been cut short. The other conclusion is that multiple threads are running and outputting to the error.log confusing me with the overlapping output. This strange exiting behaviour also appears to occur on all browsers (once that work ok netscape that does not work.) The other error I get is that the username/password is passed ok from the SMB server verification phase, but then in subsequent calls to the SMB server, the username/password fails - this occurs during the one entry of username/password but the SMB server is contacted several times for verification ( I also check the username password in the script before thay are submitted to the SMB server so I know they are correct.) Would this be because of timeout in the SMB to respond. I would also expect the SMB server to only need to referred to once, but the perl module is calling the SMB module 3 times during the one username/password entry. I hope the above make sense. I can my log file if this would help. Regards Adam -Original Message- From: Kaye-Smith Adam Sent: Monday, 19 August 2002 9:15 AM To: 'Gerald Richter'; Peter Bi; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: NTLM module Thanks for your advice Gerald. I have found a compromise buy having the directive of Authtype Basic but the perl code has been changed to run the NTLM check as well as SMB (regardlesss of the config file) and if both authentications fail, the standard mod_auth code will then be run. Thanks once again. Adam The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network.
RE: NTLM module
Thanks for your advice Gerald. I have found a compromise buy having the directive of Authtype Basic but the perl code has been changed to run the NTLM check as well as SMB (regardlesss of the config file) and if both authentications fail, the standard mod_auth code will then be run. Thanks once again. Adam -Original Message- From: Gerald Richter [mailto:[EMAIL PROTECTED]] Sent: Friday, 16 August 2002 3:19 PM To: Kaye-Smith Adam; Peter Bi; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: NTLM module when i have Authtype ntlm,basic in httpd.conf and I attempt to use a username/password that is in htpasswd file I will not be able to be authenticated I receive the following error message in /var/log/http/error.log [Thu Aug 15 15:28:53 2002] [crit] [client 131.242.91.200] configuration error: couldn't check user. No user file?: / However when I use Authtype basic in httpd.conf follow same process I do not get the above error message in log I can get authenticated bring up the web page. That's because Apache's basic auth handler checks for AuthType Basic. If AuthType is anythingelse then basic, it doesn't do anything. This could be fixed for basic authentication by letting Apache::AuthenNTLM use another configuration directive instead of AuthType, so you can set AuthType to Basic, but it won't not work for NTLM authentication, because of what I wrote in my previous mails, that there is no password available on the server side to compare against. If it doesn't work with NTLM auth, there is no need to fix it, because you are using Apache::AuthNTLM to get NTLM authentication. If you really only want basic auth and verify your passwords against different backends, like a windows server, you really should use Peters module. If you want NTLM auth and what not only to verify the passwords against a windows server, you have to extent APache::AutheNTLM to handle this, like I wrote in my previous emails. Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network.
Re: NTLM module
Am I totally wrong, or the plain and painful answer is that NTLM is only supported on Win32 boxes? I think I read somewhere that, because the module relies the Win32 API, it doesn't run on other systems. It even said something like ...whoever wants to grab some Samba code and port the module to *nix, please do Again, this is just something I guess I think I read somewhere, so take it with a grain of salt. Paulo Meireles MCSE (and not ashame of it) ;-) Como Reduzir os Riscos de Segurança da Sua Organização Whitepaper Gratuito sobre Serviços de Segurança http://www.vianetworks.pt/security/whitepaper_fs.html
Re: What is NTLM? (was: NTLM module)
Am I totally wrong, or the plain and painful answer is that NTLM is only supported on Win32 boxes? I think I read somewhere that, because the module relies the Win32 API, it doesn't run on other systems. It even said something like ...whoever wants to grab some Samba code and port the module to *nix, please do Again, this is just something I guess I think I read somewhere, so take it with a grain of salt. Apache::AuthenNTLM runs only on Unix and it uses Authen::smb to verify passwords against a windows nt/2000 machine. On the client side NTLM is only supported by Mircosoft Internet Explorer. The main reason why you want to use it, is when you haveing an intranet Apache server on Unix and most/all of your clients use MSIE on Windows as browser. In this case MSIE will autheticate via NTLM automaticly as the current logged on user, when a server requests NTLM authentication. So the main reason to use it, is that in this case the users don't have to type in there passwords again. I doubt that NTLM does not need any password. Logically, there must be a way to set up the initial trustful connection between two machines. If not password, what will that be ? Or something like Digital Authentication ? From the README: The NTLM protocol performs a challenge/response to exchange a random number (nonce) and get back a md4 hash, which is build form the users password and the nonce. This makes sure that no cleartext password goes over the wire, so it's more secure than basic authentication, which doesn't mean it's a real secure authentication scheme. Some information about NTLM can be found at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/nt lmssp_0k19.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcsample98/ samp/VC98/sdk/winbase/security/winnt/httpauth/httpauth.asp More detailed implementation details are available from http://www.opengroup.org/comsource/techref2/NCH1222X.HTM http://www.innovation.ch/java/ntlm.html A lot of ideas and information are taken from the similar Apache module mod_ntlm, which can be found at http://sourceforge.net/projects/modntlm/ Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 -
Re: NTLM module
Can you guys please snip the emails down to the relevant information? Having to scroll past lots of rubbish at the end of the email gets annoying (and I'm not even a digest subscriber). Thanks.
RE: NTLM module
Hello all,
I believe I have narrowed the problems down but still do not know how to
fix it.
when i have Authtype ntlm,basic in httpd.conf and I attempt to use a
username/password that is in htpasswd file I will not be able to be
authenticated I receive the following error message in
/var/log/http/error.log
[Thu Aug 15 15:28:53 2002] [crit] [client 131.242.91.200] configuration
error: couldn't check user. No user file?: /
However when I use Authtype basic in httpd.conf follow same process I
do not get the above error message in log I can get authenticated
bring up the web page.
My only explanation is that when authtype is ntlm,basic then the
directive in httpd.conf file of AuthUserFile /tmp/htpasswd somehow gets
overlooked.
my other directives are as follows:
PerlAuthenHandler Apache::AuthenNTLM
AuthName Warning you are entering a development server!! (and
AuthType ntlm,basic
PerlAddVar ntdomain LANDS zeta
PerlSetVar ntlmauthoritative off
PerlSetVar basicauthoritative off
PerlSetVar defaultdomain LANDS
PerlSetVar ntlmdebug 1
AuthUserFile /tmp/htpasswd
require valid-user
I do not believe that the password is somehow undetectable to the
authentication module whethor I use authtype ntlm,basic or authtype
basic. This is because I have been able to print the username password
variables in the AuthenNTLM perl module this comes out to the error
log on both occasions correctly.
I have changed the perl to the following in the handler sub.
elsif ($type == -1)
{
my $nonce = $self - get_nonce ($r) ;
if (!$nonce)
{
$r-log_reason(Cannot get nonce for . $r-uri) ;
return SERVER_ERROR ;
}
print STDERR just before verify user (2nd) \n\n;
if (!$self - verify_user ($r))
{
print STDERR could not verify user \n\n ;
print STDERR no verify Username is $self-{username}
\n\n;
print STDERR no verify Userpass is $self-{password}
\n\n;
return $self -
{basicauthoritative}?AUTH_REQUIRED:DECLINED ;
print STDERR is this sent\n\n;
}
in error log I get the following on both occasions:
AuthenNTLM: rc = 3 ntlmhash =
could not verify user
no verify Username is adamk
no verify Userpass is test
Any ideas.
Regards
Adam
-Original Message-
From: Peter Bi [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 14 August 2002 2:41 PM
To: Gerald Richter; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: NTLM module
Gerald:
Any comment on Paulo's question ? (I am interested in that knowledge
too.)
I doubt that NTLM does not need any password. Logically, there must be a
way
to set up the initial trustful connection between two machines. If not
password, what will that be ? Or something like Digital Authentication ?
Peter
- Original Message -
From: [EMAIL PROTECTED]
To: Peter Bi [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, August 13, 2002 2:36 PM
Subject: Re: NTLM module
Am I totally wrong, or the plain and painful answer is
that NTLM is only supported on Win32 boxes? I think
I read somewhere that, because the module relies the
Win32 API, it doesn't run on other systems. It even
said something like ...whoever wants to grab some
Samba code and port the module to *nix, please do
Again, this is just something I guess I think I read
somewhere, so take it with a grain of salt.
Paulo Meireles
MCSE (and not ashame of it)
;-)
Como Reduzir os Riscos de Segurança da Sua Organização Whitepaper
Gratuito
sobre Serviços
de Segurança http://www.vianetworks.pt/security/whitepaper_fs.html
and
- Original Message -
From: Gerald Richter [EMAIL PROTECTED]
To: Peter Bi [EMAIL PROTECTED]; Kaye-Smith Adam
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, August 13, 2002 8:58 PM
Subject: Re: NTLM module
The username/password pair is sent only once to the issuer machine
and
the
follow-up authentications are performed using a self-certified,
time-limited, hash. In fact, it is based on access-control, having
nothing
to do with Basic Authentication. This is discussed in detail in the
Eagle
book. I am not sure if NTLM is even better but for most
applications, it
is
pretty secure.
NTLM is a bit more secure, but also this is not the point here. NTLM
auth
doesn't require you to enter your password at all. I don't argue that
NTLM
is better, it just fits better in some intranet situations, because
the
user
doesn't have to type in the username/password.
It's seems that I was not clear enough. The only thing I say is that
under
the precondition you want to use NTLM client authetication, you can't
use
the way your module verifies the password.
Gerald
-
Gerald Richterecos electronic communication services gmbh
Internetconnect
Re: NTLM module
You may check Apache::Access module at http://modperl.home.att.net in which I tried to provide a general solution to several popular authentication issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. I think you missed the point (or I missunderstood your module): The problem is not doing the authentication against whatever, but doing NTLM authetication. With NTLM auth you don't get a password from the client, so how would compare the password that you don't have against SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. ? The only solution is to reimplement the challage/response that NTLM does. (The module Authen::Perl::NTLM maybe helpfull here). To do this you need either the password in clear text to compute the nt password hash (a sort of md4 hash) or the precomputed nt password hash. You won't have this with LDAP, IMAP, NIS, FTP, LWP and DBI etc Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - Cheers. Peter Bi - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, August 12, 2002 9:12 PM Subject: Re: NTLM module According to the documentation, if you set NTMLauthoritative to off, then if NTLM authorization fails, then it should pass it on to the lower level modules. Yes, that's true and it works like you describe it. The point that you are missing is (and that I have tried to show in my last mail), that during NTLM authentication there is no password! NTLM never passes the password to the server, so also the control gets passed to the lower level module, this lower level module must be able to handle NTLM. The default Apache auth handler isn't able to do so. It expects a password, which it doesn't gets because the client never has send it. Hope it's a little bit more clear now Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - I have cut out the below section from the doco which relates to the above functionality : =head2 PerlSetVar ntlmauthoritative Setting the ntlmauthoritative directive explicitly to 'off' allows authentication to be passed on to lower level modules if AuthenNTLM cannot autheticate the userand the NTLM authentication scheme is used. If set to 'on', which is the default, AuthenNTLM will try to verify the user andif it fails will give an Authorization Required reply. =head2 PerlSetVar basicauthoritative Setting the ntlmauthoritative directive explicitly to 'off' allows authentication to be passed on to lower level modules if AuthenNTLM cannot autheticate the userand the Basic authentication scheme is used. If set to 'on', which is the default, AuthenNTLM will try to verify the user andif it fails will give an Authorization Required reply. From the above description, I am hoping for the following events to take place - ntlm authentication (if fail this level go to next authentication) - basic authentication (if fails this level go to other authentication systems) - read passwords in htpasswd file ( if this fails, then access not granted) To enable the following behaviour, I have included the following directives in httpd.conf. - ntlmauthoritative off - basicauthoritative off I have also taken out the basic authentication to see if this works ie Authtype ntlm (not basic) But this still does fail allow the htpasswd system to verify access. If there are changes that need to be made to the AuthenNTLM.pm, I am not very well read in this area - are there any goof references. From my novice perspective, it appears that when NTLM is included as part of the authentication, the ability for normal modules to verify access (ie htpasswd file) is no longer available ie the perl module does not pass back what the standard modules are expecting. I am sorry to be a bit unclear in my analysis, but I am fairly new to apache perl modules. Many Thanks Adam original email attached -Original Message- From: Gerald Richter [mailto:[EMAIL PROTECTED]] Sent: Monday, 12
Re: NTLM module
Gerald: if you check the source of the Smb implemenation of the module, you would see that it performs basically the same function as NTLM. I agree with you that it does not fit the Microsoft definition of NTLM, so it is not a NTLM implementation. If ones purpose is to pass the protection by providing a valid username/password pair in a NT domain, then one does not have to follow that definition and the current Smb implementation is one of the possible solutions. Peter - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Peter Bi [EMAIL PROTECTED]; Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, August 13, 2002 12:53 AM Subject: Re: NTLM module You may check Apache::Access module at http://modperl.home.att.net in which I tried to provide a general solution to several popular authentication issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. I think you missed the point (or I missunderstood your module): The problem is not doing the authentication against whatever, but doing NTLM authetication. With NTLM auth you don't get a password from the client, so how would compare the password that you don't have against SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. ? The only solution is to reimplement the challage/response that NTLM does. (The module Authen::Perl::NTLM maybe helpfull here). To do this you need either the password in clear text to compute the nt password hash (a sort of md4 hash) or the precomputed nt password hash. You won't have this with LDAP, IMAP, NIS, FTP, LWP and DBI etc Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - Cheers. Peter Bi - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, August 12, 2002 9:12 PM Subject: Re: NTLM module According to the documentation, if you set NTMLauthoritative to off, then if NTLM authorization fails, then it should pass it on to the lower level modules. Yes, that's true and it works like you describe it. The point that you are missing is (and that I have tried to show in my last mail), that during NTLM authentication there is no password! NTLM never passes the password to the server, so also the control gets passed to the lower level module, this lower level module must be able to handle NTLM. The default Apache auth handler isn't able to do so. It expects a password, which it doesn't gets because the client never has send it. Hope it's a little bit more clear now Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - I have cut out the below section from the doco which relates to the above functionality : =head2 PerlSetVar ntlmauthoritative Setting the ntlmauthoritative directive explicitly to 'off' allows authentication to be passed on to lower level modules if AuthenNTLM cannot autheticate the userand the NTLM authentication scheme is used. If set to 'on', which is the default, AuthenNTLM will try to verify the user andif it fails will give an Authorization Required reply. =head2 PerlSetVar basicauthoritative Setting the ntlmauthoritative directive explicitly to 'off' allows authentication to be passed on to lower level modules if AuthenNTLM cannot autheticate the userand the Basic authentication scheme is used. If set to 'on', which is the default, AuthenNTLM will try to verify the user andif it fails will give an Authorization Required reply. From the above description, I am hoping for the following events to take place - ntlm authentication (if fail this level go to next authentication) - basic authentication (if fails this level go to other authentication systems) - read passwords in htpasswd file ( if this fails, then access not granted) To enable the following behaviour, I have included the following directives in httpd.conf. - ntlmauthoritative off - basicauthoritative off I have also taken out the basic authentication to see
Re: NTLM module
if you check the source of the Smb implemenation of the module, you would see that it performs basically the same function as NTLM. I agree with you that it does not fit the Microsoft definition of NTLM, so it is not a NTLM implementation. If ones purpose is to pass the protection by providing a valid username/password pair in a NT domain, then one does not have to follow that definition and the current Smb implementation is one of the possible solutions. The point is not how the password is passed to the nt server, the point is how the browser and the web server exchange the credenticals. With basic auth and with your module the user enters a username and a password and you use different backends to verify this. With NTLM authentication the Internet Exploerer and the Web server uses a challange-response procdure to exchange credenticals (and IE does this without asking the user, so you get logged on with your windows username, which safes the user some extra typing). They never send the password over the wire, so you don't have a password to send/verify to your backend. What you talking about is the verification of the password between the web server and the nt domain controller, thats something different. Gerald Peter - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Peter Bi [EMAIL PROTECTED]; Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, August 13, 2002 12:53 AM Subject: Re: NTLM module You may check Apache::Access module at http://modperl.home.att.net in which I tried to provide a general solution to several popular authentication issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. I think you missed the point (or I missunderstood your module): The problem is not doing the authentication against whatever, but doing NTLM authetication. With NTLM auth you don't get a password from the client, so how would compare the password that you don't have against SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. ? The only solution is to reimplement the challage/response that NTLM does. (The module Authen::Perl::NTLM maybe helpfull here). To do this you need either the password in clear text to compute the nt password hash (a sort of md4 hash) or the precomputed nt password hash. You won't have this with LDAP, IMAP, NIS, FTP, LWP and DBI etc Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - Cheers. Peter Bi - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, August 12, 2002 9:12 PM Subject: Re: NTLM module According to the documentation, if you set NTMLauthoritative to off, then if NTLM authorization fails, then it should pass it on to the lower level modules. Yes, that's true and it works like you describe it. The point that you are missing is (and that I have tried to show in my last mail), that during NTLM authentication there is no password! NTLM never passes the password to the server, so also the control gets passed to the lower level module, this lower level module must be able to handle NTLM. The default Apache auth handler isn't able to do so. It expects a password, which it doesn't gets because the client never has send it. Hope it's a little bit more clear now Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - I have cut out the below section from the doco which relates to the above functionality : =head2 PerlSetVar ntlmauthoritative Setting the ntlmauthoritative directive explicitly to 'off' allows authentication to be passed on to lower level modules if AuthenNTLM cannot autheticate the userand the NTLM authentication scheme is used. If set to 'on', which is the default, AuthenNTLM will try to verify the user andif it fails will give an Authorization Required reply. =head2 PerlSetVar basicauthoritative Setting the ntlmauthoritative directive explicitly to 'off' allows
Re: NTLM module
The username/password pair is sent only once to the issuer machine and the follow-up authentications are performed using a self-certified, time-limited, hash. In fact, it is based on access-control, having nothing to do with Basic Authentication. This is discussed in detail in the Eagle book. I am not sure if NTLM is even better but for most applications, it is pretty secure. Peter - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Peter Bi [EMAIL PROTECTED]; Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, August 13, 2002 12:29 PM Subject: Re: NTLM module if you check the source of the Smb implemenation of the module, you would see that it performs basically the same function as NTLM. I agree with you that it does not fit the Microsoft definition of NTLM, so it is not a NTLM implementation. If ones purpose is to pass the protection by providing a valid username/password pair in a NT domain, then one does not have to follow that definition and the current Smb implementation is one of the possible solutions. The point is not how the password is passed to the nt server, the point is how the browser and the web server exchange the credenticals. With basic auth and with your module the user enters a username and a password and you use different backends to verify this. With NTLM authentication the Internet Exploerer and the Web server uses a challange-response procdure to exchange credenticals (and IE does this without asking the user, so you get logged on with your windows username, which safes the user some extra typing). They never send the password over the wire, so you don't have a password to send/verify to your backend. What you talking about is the verification of the password between the web server and the nt domain controller, thats something different. Gerald Peter - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Peter Bi [EMAIL PROTECTED]; Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, August 13, 2002 12:53 AM Subject: Re: NTLM module You may check Apache::Access module at http://modperl.home.att.net in which I tried to provide a general solution to several popular authentication issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. I think you missed the point (or I missunderstood your module): The problem is not doing the authentication against whatever, but doing NTLM authetication. With NTLM auth you don't get a password from the client, so how would compare the password that you don't have against SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. ? The only solution is to reimplement the challage/response that NTLM does. (The module Authen::Perl::NTLM maybe helpfull here). To do this you need either the password in clear text to compute the nt password hash (a sort of md4 hash) or the precomputed nt password hash. You won't have this with LDAP, IMAP, NIS, FTP, LWP and DBI etc Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - Cheers. Peter Bi - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, August 12, 2002 9:12 PM Subject: Re: NTLM module According to the documentation, if you set NTMLauthoritative to off, then if NTLM authorization fails, then it should pass it on to the lower level modules. Yes, that's true and it works like you describe it. The point that you are missing is (and that I have tried to show in my last mail), that during NTLM authentication there is no password! NTLM never passes the password to the server, so also the control gets passed to the lower level module, this lower level module must be able to handle NTLM. The default Apache auth handler isn't able to do so. It expects a password, which it doesn't gets because the client never has send it. Hope it's a little bit more clear now Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax
Re: NTLM module
The username/password pair is sent only once to the issuer machine and the follow-up authentications are performed using a self-certified, time-limited, hash. In fact, it is based on access-control, having nothing to do with Basic Authentication. This is discussed in detail in the Eagle book. I am not sure if NTLM is even better but for most applications, it is pretty secure. NTLM is a bit more secure, but also this is not the point here. NTLM auth doesn't require you to enter your password at all. I don't argue that NTLM is better, it just fits better in some intranet situations, because the user doesn't have to type in the username/password. It's seems that I was not clear enough. The only thing I say is that under the precondition you want to use NTLM client authetication, you can't use the way your module verifies the password. Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - Peter - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Peter Bi [EMAIL PROTECTED]; Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, August 13, 2002 12:29 PM Subject: Re: NTLM module if you check the source of the Smb implemenation of the module, you would see that it performs basically the same function as NTLM. I agree with you that it does not fit the Microsoft definition of NTLM, so it is not a NTLM implementation. If ones purpose is to pass the protection by providing a valid username/password pair in a NT domain, then one does not have to follow that definition and the current Smb implementation is one of the possible solutions. The point is not how the password is passed to the nt server, the point is how the browser and the web server exchange the credenticals. With basic auth and with your module the user enters a username and a password and you use different backends to verify this. With NTLM authentication the Internet Exploerer and the Web server uses a challange-response procdure to exchange credenticals (and IE does this without asking the user, so you get logged on with your windows username, which safes the user some extra typing). They never send the password over the wire, so you don't have a password to send/verify to your backend. What you talking about is the verification of the password between the web server and the nt domain controller, thats something different. Gerald Peter - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Peter Bi [EMAIL PROTECTED]; Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, August 13, 2002 12:53 AM Subject: Re: NTLM module You may check Apache::Access module at http://modperl.home.att.net in which I tried to provide a general solution to several popular authentication issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. I think you missed the point (or I missunderstood your module): The problem is not doing the authentication against whatever, but doing NTLM authetication. With NTLM auth you don't get a password from the client, so how would compare the password that you don't have against SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. ? The only solution is to reimplement the challage/response that NTLM does. (The module Authen::Perl::NTLM maybe helpfull here). To do this you need either the password in clear text to compute the nt password hash (a sort of md4 hash) or the precomputed nt password hash. You won't have this with LDAP, IMAP, NIS, FTP, LWP and DBI etc Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - Cheers. Peter Bi - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, August 12, 2002 9:12 PM Subject: Re: NTLM module According to the documentation, if you set NTMLauthoritative to off, then if NTLM authorization fails, then it should pass
Re: NTLM module
Gerald: Any comment on Paulo's question ? (I am interested in that knowledge too.) I doubt that NTLM does not need any password. Logically, there must be a way to set up the initial trustful connection between two machines. If not password, what will that be ? Or something like Digital Authentication ? Peter - Original Message - From: [EMAIL PROTECTED] To: Peter Bi [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, August 13, 2002 2:36 PM Subject: Re: NTLM module Am I totally wrong, or the plain and painful answer is that NTLM is only supported on Win32 boxes? I think I read somewhere that, because the module relies the Win32 API, it doesn't run on other systems. It even said something like ...whoever wants to grab some Samba code and port the module to *nix, please do Again, this is just something I guess I think I read somewhere, so take it with a grain of salt. Paulo Meireles MCSE (and not ashame of it) ;-) Como Reduzir os Riscos de Segurança da Sua Organização Whitepaper Gratuito sobre Serviços de Segurança http://www.vianetworks.pt/security/whitepaper_fs.html and - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Peter Bi [EMAIL PROTECTED]; Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, August 13, 2002 8:58 PM Subject: Re: NTLM module The username/password pair is sent only once to the issuer machine and the follow-up authentications are performed using a self-certified, time-limited, hash. In fact, it is based on access-control, having nothing to do with Basic Authentication. This is discussed in detail in the Eagle book. I am not sure if NTLM is even better but for most applications, it is pretty secure. NTLM is a bit more secure, but also this is not the point here. NTLM auth doesn't require you to enter your password at all. I don't argue that NTLM is better, it just fits better in some intranet situations, because the user doesn't have to type in the username/password. It's seems that I was not clear enough. The only thing I say is that under the precondition you want to use NTLM client authetication, you can't use the way your module verifies the password. Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - Peter - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Peter Bi [EMAIL PROTECTED]; Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, August 13, 2002 12:29 PM Subject: Re: NTLM module if you check the source of the Smb implemenation of the module, you would see that it performs basically the same function as NTLM. I agree with you that it does not fit the Microsoft definition of NTLM, so it is not a NTLM implementation. If ones purpose is to pass the protection by providing a valid username/password pair in a NT domain, then one does not have to follow that definition and the current Smb implementation is one of the possible solutions. The point is not how the password is passed to the nt server, the point is how the browser and the web server exchange the credenticals. With basic auth and with your module the user enters a username and a password and you use different backends to verify this. With NTLM authentication the Internet Exploerer and the Web server uses a challange-response procdure to exchange credenticals (and IE does this without asking the user, so you get logged on with your windows username, which safes the user some extra typing). They never send the password over the wire, so you don't have a password to send/verify to your backend. What you talking about is the verification of the password between the web server and the nt domain controller, thats something different. Gerald Peter - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Peter Bi [EMAIL PROTECTED]; Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, August 13, 2002 12:53 AM Subject: Re: NTLM module You may check Apache::Access module at http://modperl.home.att.net in which I tried to provide a general solution to several popular authentication issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. I think you missed the point (or I missunderstood your module): The problem is not doing the authentication against whatever, but doing NTLM
Re: NTLM module
- Original Message - From: Kaye-Smith Adam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 12, 2002 4:51 AM Subject: NTLM module Hello , When I enter in an NT password it all works ok but when I use a user/pass from the htpasswd file, the only way it will work is that I change the above line to AuthType Basic instead of AuthType ntlm,Basic. With this change I can access passwords in htpasswd also authenticate from an NT server but I can no longer use NTLM. The problem is that Basic authentication requires a password from the client which can be compared against your password file. In case of NTLM auth, there is no password ever send over the wire, so Apache doesn't have anything which it can compare against it's passwd file. The solution would be to derive a class from AuthenNTLM and do the computation of the challage and response based on the secrets in the passwd file (you would need to store MD4 hashs of your passwords somewhere). There is a module called Perl::AuthenNTLM which may be helpfull in doing this task. Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 -
Re: NTLM module
According to the documentation, if you set NTMLauthoritative to off, then if NTLM authorization fails, then it should pass it on to the lower level modules. Yes, that's true and it works like you describe it. The point that you are missing is (and that I have tried to show in my last mail), that during NTLM authentication there is no password! NTLM never passes the password to the server, so also the control gets passed to the lower level module, this lower level module must be able to handle NTLM. The default Apache auth handler isn't able to do so. It expects a password, which it doesn't gets because the client never has send it. Hope it's a little bit more clear now Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - I have cut out the below section from the doco which relates to the above functionality : =head2 PerlSetVar ntlmauthoritative Setting the ntlmauthoritative directive explicitly to 'off' allows authentication to be passed on to lower level modules if AuthenNTLM cannot autheticate the userand the NTLM authentication scheme is used. If set to 'on', which is the default, AuthenNTLM will try to verify the user andif it fails will give an Authorization Required reply. =head2 PerlSetVar basicauthoritative Setting the ntlmauthoritative directive explicitly to 'off' allows authentication to be passed on to lower level modules if AuthenNTLM cannot autheticate the userand the Basic authentication scheme is used. If set to 'on', which is the default, AuthenNTLM will try to verify the user andif it fails will give an Authorization Required reply. From the above description, I am hoping for the following events to take place - ntlm authentication (if fail this level go to next authentication) - basic authentication (if fails this level go to other authentication systems) - read passwords in htpasswd file ( if this fails, then access not granted) To enable the following behaviour, I have included the following directives in httpd.conf. - ntlmauthoritative off - basicauthoritative off I have also taken out the basic authentication to see if this works ie Authtype ntlm (not basic) But this still does fail allow the htpasswd system to verify access. If there are changes that need to be made to the AuthenNTLM.pm, I am not very well read in this area - are there any goof references. From my novice perspective, it appears that when NTLM is included as part of the authentication, the ability for normal modules to verify access (ie htpasswd file) is no longer available ie the perl module does not pass back what the standard modules are expecting. I am sorry to be a bit unclear in my analysis, but I am fairly new to apache perl modules. Many Thanks Adam original email attached -Original Message- From: Gerald Richter [mailto:[EMAIL PROTECTED]] Sent: Monday, 12 August 2002 5:35 PM To: Kaye-Smith Adam; [EMAIL PROTECTED] Subject: Re: NTLM module - Original Message - From: Kaye-Smith Adam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 12, 2002 4:51 AM Subject: NTLM module Hello , When I enter in an NT password it all works ok but when I use a user/pass from the htpasswd file, the only way it will work is that I change the above line to AuthType Basic instead of AuthType ntlm,Basic. With this change I can access passwords in htpasswd also authenticate from an NT server but I can no longer use NTLM. The problem is that Basic authentication requires a password from the client which can be compared against your password file. In case of NTLM auth, there is no password ever send over the wire, so Apache doesn't have anything which it can compare against it's passwd file. The solution would be to derive a class from AuthenNTLM and do the computation of the challage and response based on the secrets in the passwd file (you would need to store MD4 hashs of your passwords somewhere). There is a module called Perl::AuthenNTLM which may be helpfull in doing this task. Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - The information in this e-mail
Re: NTLM module
You may check Apache::Access module at http://modperl.home.att.net in which I tried to provide a general solution to several popular authentication issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. Cheers. Peter Bi - Original Message - From: Gerald Richter [EMAIL PROTECTED] To: Kaye-Smith Adam [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, August 12, 2002 9:12 PM Subject: Re: NTLM module According to the documentation, if you set NTMLauthoritative to off, then if NTLM authorization fails, then it should pass it on to the lower level modules. Yes, that's true and it works like you describe it. The point that you are missing is (and that I have tried to show in my last mail), that during NTLM authentication there is no password! NTLM never passes the password to the server, so also the control gets passed to the lower level module, this lower level module must be able to handle NTLM. The default Apache auth handler isn't able to do so. It expects a password, which it doesn't gets because the client never has send it. Hope it's a little bit more clear now Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - I have cut out the below section from the doco which relates to the above functionality : =head2 PerlSetVar ntlmauthoritative Setting the ntlmauthoritative directive explicitly to 'off' allows authentication to be passed on to lower level modules if AuthenNTLM cannot autheticate the userand the NTLM authentication scheme is used. If set to 'on', which is the default, AuthenNTLM will try to verify the user andif it fails will give an Authorization Required reply. =head2 PerlSetVar basicauthoritative Setting the ntlmauthoritative directive explicitly to 'off' allows authentication to be passed on to lower level modules if AuthenNTLM cannot autheticate the userand the Basic authentication scheme is used. If set to 'on', which is the default, AuthenNTLM will try to verify the user andif it fails will give an Authorization Required reply. From the above description, I am hoping for the following events to take place - ntlm authentication (if fail this level go to next authentication) - basic authentication (if fails this level go to other authentication systems) - read passwords in htpasswd file ( if this fails, then access not granted) To enable the following behaviour, I have included the following directives in httpd.conf. - ntlmauthoritative off - basicauthoritative off I have also taken out the basic authentication to see if this works ie Authtype ntlm (not basic) But this still does fail allow the htpasswd system to verify access. If there are changes that need to be made to the AuthenNTLM.pm, I am not very well read in this area - are there any goof references. From my novice perspective, it appears that when NTLM is included as part of the authentication, the ability for normal modules to verify access (ie htpasswd file) is no longer available ie the perl module does not pass back what the standard modules are expecting. I am sorry to be a bit unclear in my analysis, but I am fairly new to apache perl modules. Many Thanks Adam original email attached -Original Message- From: Gerald Richter [mailto:[EMAIL PROTECTED]] Sent: Monday, 12 August 2002 5:35 PM To: Kaye-Smith Adam; [EMAIL PROTECTED] Subject: Re: NTLM module - Original Message - From: Kaye-Smith Adam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 12, 2002 4:51 AM Subject: NTLM module Hello , When I enter in an NT password it all works ok but when I use a user/pass from the htpasswd file, the only way it will work is that I change the above line to AuthType Basic instead of AuthType ntlm,Basic. With this change I can access passwords in htpasswd also authenticate from an NT server but I can no longer use NTLM. The problem is that Basic authentication requires a password from the client which can be compared against your password file. In case of NTLM auth, there is no password ever send over the wire, so Apache doesn't have anything which it can compare against it's passwd file. The solution would be to derive a class from AuthenNTLM and do the computation of the challage and response based on the secrets in the passwd file (you would need to store MD4 hashs of your passwords somewhere). There is a module called Perl::AuthenNTLM which may be helpfull in doing this task. Gerald
NTLM module
Hello , I am having some problems with the perl module AuthenNTLM . I am using Redhat 7.3 with Apache/1.3.23 (Unix) my httpd.conf file section is below PerlAuthenHandler Apache::AuthenNTLM AuthName Warning you are entering a development server!! (and AuthType ntlm,basic AuthUserFile htpasswd AuthAuthoritative on PerlAddVar ntdomain LANDS zeta PerlSetVar ntlmauthoritative off PerlSetVar basicauthoritative off PerlSetVar defaultdomain LANDS PerlSetVar ntlmdebug 1 require valid-user When I enter in an NT password it all works ok but when I use a user/pass from the htpasswd file, the only way it will work is that I change the above line to AuthType Basic instead of AuthType ntlm,Basic. With this change I can access passwords in htpasswd also authenticate from an NT server but I can no longer use NTLM. I have tried to change return codes in the AuthenNTLM.pm without any luck My last part of my debug output file when it fails on enetering a user/pass in the htpasswd file is : AuthenNTLM: Verify user adamk via smb server [Fri Aug 9 17:32:21 2002] [error] access to / failed for , reason: Wrong password/user (rc=3): LANDS\adamk for / AuthenNTLM: rc = 3 ntlmhash = [Fri Aug 9 17:32:21 2002] [crit] [client 131.242.91.200] configuration error: couldn't check user. No user file?: / Can you suggest anything. Regards The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network.
