Hi,
I've got a problem trying to set up Apache::AuthenNTLM to secure the
administration area for our (mod_perl-based) CMS.
The server setup is as follows:
* A lightweight port-80 instance of Apache, which deals with
all requests for static content, and proxies everything else
over to...
* A mod_perl-centric, port-8080 instance of Apache, which
deals with all the dynamic, mod_perl-generated content
I've setup the authentication on the administration area in the
httpd.conf file for the backend, port-8080 server to use AuthenNTLM.
When I access a test script directly on the port:8080 server, the
authentication works a dream. This seems to confirm, to me, that the
settings are basically correct.
However, when I try to access the authenticated area through the
frontend, port-80 server, the authentication doesn't work. The client
gets a variation on the little grey box of Basic Authentication, this
time with a domain field added. Entering details into the box only
brings the box back, however.
KeepAlive is on for both Apaches. I've enabled PerlSetVar ntlmdebug
2, and the output for each situation is below. I've asterisked out
anything that I think might be unwise to post on a public forum; if it
turns out that some of that is needed to figure out what's going on,
I'll be glad to revise that heuristic!
Firstly, the direct attempt (which worked):
[14925] AuthenNTLM: Config Domain = domain1 pdc = bdc =
[14925] AuthenNTLM: Config Default Domain = domain1
[14925] AuthenNTLM: Config Fallback Domain =
[14925] AuthenNTLM: Config AuthType = ntlm AuthName = CMS NTLM
Authentication Test
[14925] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[14925] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative =
on
[14925] AuthenNTLM: Config Semaphore key = 23754 timeout = 2
[14925] AuthenNTLM: Authorization Header not given
[Mon Jul 5 15:03:23 2004] [error] access to /res/env.cgi failed for ,
reason: Bad/Missing NTLM/Basic Authorization Header for /res/env.cgi
[14925] AuthenNTLM: Start NTLM Authen handler pid = 14925, connection =
156590692 conn_http_hdr = Keep-Alive main = cuser = remote_ip =
remote_port = remote_host = version = 0.23
[14925] AuthenNTLM: Object exists user = \
[14925] AuthenNTLM: Authorization Header NTLM
TlRMTVNTUAABB7IAoAcABwAoCAAIACBXQkMtVFMtMURPTUFJTjE=
[14925] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 178 0 160 7 0
7 0 40 0 0 0 8 0 8 0 32 0 0 0 87 66 67 45 84 83 45 49 68 79 77 65 73 78
49
[14925] AuthenNTLM: protocol=NTLMSSP, type=1,
flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET),
flags2=178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=7,
domain offset=40, host length=8, host offset=32, host=WBC-TS-1,
domain=DOMAIN1
[14925] AuthenNTLM: Connect to pdc = bdc = domain = domain1
[14925] AuthenNTLM: timed out while waiting for lock (key = 23754)
[14925] AuthenNTLM: leave lock
[14925] AuthenNTLM: Send: 78 84 76 77 83 83 80 0 2 0 0 0 0 0 0 0 40 0 0
0 1 130 0 0 216 117 139 24 181 48 159 61 0 0 0 0 0 0 0 0
[14925] AuthenNTLM: charencoding = 1
[14925] AuthenNTLM: flags2 = 130
[14925] AuthenNTLM: nonce=Øuµ0=
[14925] AuthenNTLM: Send header: NTLM
TlRMTVNTUAACACgBggAA2HWLGLUwnz0AAA==
[14925] AuthenNTLM: Start NTLM Authen handler pid = 14925, connection =
156590692 conn_http_hdr = Keep-Alive main = cuser = remote_ip =
remote_port = remote_host = version = 0.23
[14925] AuthenNTLM: Object exists user = \
[14925] AuthenNTLM: Authorization Header NTLM
TlRMTVNTUAADGAAYAG4YABgAhg4ADgBAEAAQAE4QABAAXgCeBYIAAEQATwBNAEEASQBOADEAYQByAHQAaQBjAGwAZQA3AFcAQgBDAC0AVABTAC0AMQBDF+KMFTHlqAmWaSgr17JBJVr6fpDj9dGBGDYhHPRVxYNQsYcPvPYUSpQoEYrg0T8=
[14925] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 3 0 0 0 24 0 24 0 110 0
0 0 24 0 24 0 134 0 0 0 14 0 14 0 64 0 0 0 16 0 16 0 78 0 0 0 16 0 16 0
94 0 0 0 0 0 0 0 158 0 0 0 5 130 0 0 68 0 79 0 77 0 65 0 73 0 78 0 49 0
97 0 114 0 116 0 105 0 99 0 108 0 101 0 55 0 87 0 66 0 67 0 45 0 84 0
83 0 45 0 49 0 67 23 226 140 21 49 229 168 9 150 105 40 43 215 178 65
37 90 250 126 144 227 245 209 129 24 54 33 28 244 85 197 131 80 177 135
15 188 246 20 74 148 40 17 138 224 209 63
[14925] AuthenNTLM: protocol=NTLMSSP, type=3, user=, host=,
domain=DOMAIN1, msg_len=0
[14925] AuthenNTLM: Verify user via smb server
[14925] AuthenNTLM: OK pid = 14925, connection = 156590692 cuser =
ip =
Next, the attempt via the port-80 Apache proxy. The following is taken
from the port-8080 error log, so at least some of the data is being
proxied properly.
[14927] AuthenNTLM: Config Domain = domain1 pdc = bdc =
[14927] AuthenNTLM: Config Default Domain = domain1
[14927] AuthenNTLM: Config Fallback Domain =
[14927] AuthenNTLM: Config AuthType = ntlm AuthName = CMS NTLM
Authentication Test
[14927] AuthenNTLM: Config Auth NTLM = 1 Auth