Re: Minor issue with AuthenNTLM
I would also support the fact that big companies are still using NTLM for non-critical resources (as a convenience). This is also my goal here (to protect a non-critical resource). For the future, the way to go is Kerberos; this is what Microsoft is pushing in replacement for NTLM. Any good literature for setting up Linux (with Apache) with Kerberos for SSO with Windows Clients? %)
Re: Minor issue with AuthenNTLM
On 3/30/2012 1:56 AM, Dami Laurent (PJ) wrote: -Message d'origine- De : André Warnier [mailto:a...@ice-sa.com] I was considering forking the module and fixing bugs like these, but I am not quite sure how much sense that makes given the fact that NTLM is deprecated technology. Huh ? Who said that ? To my knowledge, 99% of large corporations use NTLM (Windows Domain Authentication) as their basic AAA mechanism. Well, NTLM was DoA. It is isn't HTTP compatible (0.9, 1.0 or 1.1). HTTP is stateless, MS NTLM presumes a stateful connection. For the future, the way to go is Kerberos; this is what Microsoft is pushing in replacement for NTLM. Bingo.
Re: Minor issue with AuthenNTLM
William A. Rowe Jr. wrote: On 3/30/2012 1:56 AM, Dami Laurent (PJ) wrote: -Message d'origine- De : André Warnier [mailto:a...@ice-sa.com] I was considering forking the module and fixing bugs like these, but I am not quite sure how much sense that makes given the fact that NTLM is deprecated technology. Huh ? Who said that ? To my knowledge, 99% of large corporations use NTLM (Windows Domain Authentication) as their basic AAA mechanism. Well, NTLM was DoA. It is isn't HTTP compatible (0.9, 1.0 or 1.1). HTTP is stateless, MS NTLM presumes a stateful connection. For the future, the way to go is Kerberos; this is what Microsoft is pushing in replacement for NTLM. Bingo. I agree with all of the above, and NTLM is a p.i.t.a. Nevertheless, I have quite a few large international companies as customers, and all of them, today, are still using variations of NTLM. Most of them now NTLMv2 as default, but many of them still support NTLMv1, for legacy reasons. In most of them, there is still a significant number of workstations and servers which run OS versions which do not support anything else, and/or application software ditto. What MS is pushing is one thing (if anything, they need to sell more new OS licenses); what customers really do is not necessarily the same.
Re: Minor issue with AuthenNTLM
Hi André, On 29-3-2012 10:59, André Warnier wrote: I was considering forking the module and fixing bugs like these, but I am not quite sure how much sense that makes given the fact that NTLM is deprecated technology. Huh ? Who said that ? To my knowledge, 99% of large corporations use NTLM (Windows Domain Authentication) as their basic AAA mechanism. Well, Microsoft said that: Implementers should be aware that NTLM does not support any recent cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy check (CRC) http://msdn.microsoft.com/en-us/library/780943e9-42e6-4dbe-aa87-1dce828ba82a%28v=prot.10%29#CRC or message digest algorithms ([RFC1321] http://go.microsoft.com/fwlink/?LinkId=90275) for integrity, and it uses RC4 for encryption. Deriving a key http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081%28v=prot.10%29#key from a password is as specified in [RFC1320] http://go.microsoft.com/fwlink/?LinkId=90274 and [FIPS46-2] http://go.microsoft.com/fwlink/?LinkId=89871. Therefore, applications are generally advised not to use NTLM.74 http://msdn.microsoft.com/en-us/library/a211d894-21bc-4b8b-86ba-b83d0c167b00%28v=prot.10%29#id74 Ref: http://msdn.microsoft.com/en-us/library/cc236715%28v=PROT.10%29.aspx So, really, the convenience of Apache2::AuthenNTLM is that it is set up relatively easy, but it only works well on 'older' infrastructure and it has the mentioned security implications. Although, on the other hand, if you use SSL, and if the alternative is authentication with domain username / password, this is not much different in reality. Kerberos (or especially mod_auth_kerb) is in my experience a pain to set up; also, the error messages are very tricky. I found even with the 'definitive guide' on Grolmsnet it was still tedious and difficult to understand the different error messages. I would *HEART* it if at least the distros would make setting up mod_auth_kerb a little easier. BTW I found that if you're on Windows it is actually quite easy to do Single Sign on with Apache using mod_auth_sspi. -- Mike
RE: Minor issue with AuthenNTLM
-Message d'origine- De : André Warnier [mailto:a...@ice-sa.com] Envoyé : jeudi, 29. mars 2012 11:00 À : mod_perl list Objet : Re: Minor issue with AuthenNTLM Michiel Beijen wrote: Hi, IP schreef op 2012-03-27 16:03: I've successfuly managed to make AuthenNTLM work with my PHP script, but the for some reason the Apache error log is now flooded with messages like: [error] Bad/Missing NTLM/Basic Authorization Header for /somefile.php This is actually reported as a (very old) bug in the RT queue for the module: https://rt.cpan.org/Public/Bug/Display.html?id=39602 I was considering forking the module and fixing bugs like these, but I am not quite sure how much sense that makes given the fact that NTLM is deprecated technology. Huh ? Who said that ? To my knowledge, 99% of large corporations use NTLM (Windows Domain Authentication) as their basic AAA mechanism. If I remember correctly, Apache2::AuthenNTLM only supports NTLMv1, and recent versions of Windows require NTLMv2 by default (but apparently you can force it back to v1 by deploying some policies on the workstations). About forking the module .. I also considered that option a few years ago; fixing the bug mentioned above would be convenient, and adapting for NTLMv2 would be great ... but I gave up because it seemed very hard to grasp the logic and be able to modify it. The only thing I could come up with was Apache2::AuthenNTLM::Cookie, which keeps the identity in a cookie so that the NTLM handshake occurs only once ... and therefore you have less messages in your Apache log. Another bug with Apache2::AuthenNTLM is that it uses a semaphore for mutual exclusion; I'm not even sure that this semaphore is really necessary, but anyway sometimes there is a deadlock and requests have to wait for 30 or 40 seconds without reason. For the future, the way to go is Kerberos; this is what Microsoft is pushing in replacement for NTLM.
Re: Minor issue with AuthenNTLM
Hi, IP schreef op 2012-03-27 16:03: I've successfuly managed to make AuthenNTLM work with my PHP script, but the for some reason the Apache error log is now flooded with messages like: [error] Bad/Missing NTLM/Basic Authorization Header for /somefile.php This is actually reported as a (very old) bug in the RT queue for the module: https://rt.cpan.org/Public/Bug/Display.html?id=39602 I was considering forking the module and fixing bugs like these, but I am not quite sure how much sense that makes given the fact that NTLM is deprecated technology. -- Mike
Re: Minor issue with AuthenNTLM
Michiel Beijen wrote: Hi, IP schreef op 2012-03-27 16:03: I've successfuly managed to make AuthenNTLM work with my PHP script, but the for some reason the Apache error log is now flooded with messages like: [error] Bad/Missing NTLM/Basic Authorization Header for /somefile.php This is actually reported as a (very old) bug in the RT queue for the module: https://rt.cpan.org/Public/Bug/Display.html?id=39602 I was considering forking the module and fixing bugs like these, but I am not quite sure how much sense that makes given the fact that NTLM is deprecated technology. Huh ? Who said that ? To my knowledge, 99% of large corporations use NTLM (Windows Domain Authentication) as their basic AAA mechanism.
Re: Minor issue with AuthenNTLM
I was considering forking the module and fixing bugs like these, but I am not quite sure how much sense that makes given the fact that NTLM is deprecated technology. If you're considering forking it, it may not be deprecated. I'd suggest trying to release a module to CPAN that resolves your specific issue, but has a slightly different namespace than Apache2::NTLM. Make it clear what your module does that Apache2::NTLM does not. Maybe Apache2::NTLM::OTRS. If the bug you are running is a blocker for a lot of NTLM users, you should see an increase in the use of your module. This is a very healthy software development process, one that I think GitHub is really doing a great job of executing on. On Wednesday, March 28, 2012 at 11:18 PM, Michiel Beijen wrote: Hi, IP schreef op 2012-03-27 16:03: I've successfuly managed to make AuthenNTLM work with my PHP script, but the for some reason the Apache error log is now flooded with messages like: [error] Bad/Missing NTLM/Basic Authorization Header for /somefile.php This is actually reported as a (very old) bug in the RT queue for the module: https://rt.cpan.org/Public/Bug/Display.html?id=39602 -- Mike
Minor issue with AuthenNTLM
Hi everyone, I've successfuly managed to make AuthenNTLM work with my PHP script, but the for some reason the Apache error log is now flooded with messages like: [error] Bad/Missing NTLM/Basic Authorization Header for /somefile.php It seems the messages is generated for every single file the browser tries to read. From the NTLM side everything works, user is correctly authenticated, the problem are only these mysterious messages. If this isn't the right place to ask, please point me in the right direction :) Any help is appreciated, thanks.