NTLM not working with moodle 3.4 and IIS 8.5

NTLM not working with moodle 3.4 and IIS 8.5

by Guybrush Threepwood -
Number of replies: 9

We have Moodle on IIS (8.5) and NTLM is not working since we've migrated form 3.3 to 3.4 and php 7.1.6 to 7.2.3.

Before, when users where authenticated by the browser, it was then directly logged in by Moodle.

Now, the users have to enter their credentials on Moodle login page.

I've checked the configuration based on the documentation (https://docs.moodle.org/35/en/NTLM_authentication), but all looks fine. LDAP authentication works pefectly, by the way...

Do you have any idea on how to troubleshoot that situation?

Average of ratings: -
In reply to Guybrush Threepwood

Re: NTLM not working with moodle 3.4 and IIS 8.5

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

What exactly does happen when the user clicks login? Is there an NTLM authentication attempt that fails? Can you take us through what happens?

Is the 3.4 site on the same server as the 3.3 site? If so, in IIS was a new site set up in the IIS Manager console or did you overwrite the source code in the existing directory? If it was a new IIS site or on a new server I'm wondering if there's a setting in IIS that hasn't been mirrored.

Average of ratings: -
In reply to Leon Stringer

Re: NTLM not working with moodle 3.4 and IIS 8.5

by Guybrush Threepwood -

Hello,

When the user gets to the site, the user/password is asked as Anonymous access is disabled. Then the user clicks on Login and then it is asked for username and password (Moodle login form). Before (with version 3.3) it was directly connected without the entering again his credentials. The hosting server is the same and we are using same IIS web site as before migration (overwriting the code).

I have the same behaviour with my prod and dev sites..


Best regards

Average of ratings: -
In reply to Guybrush Threepwood

Re: NTLM not working with moodle 3.4 and IIS 8.5

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

Hi Guybrush,
how did you perform the migration from 3.3 to 3.4: by updating the 3.3 instance or by importing backups from 3.3 into a brand new 3.4 instance?

It looks like the NTLM Authentication has not been enabled in your 3.4 instance.

HTH,
Matteo

Average of ratings: -
In reply to Matteo Scaramuccia

Re: NTLM not working with moodle 3.4 and IIS 8.5

by Guybrush Threepwood -

Hello,

I updated the 3.3 instance.

In the LDAP settings, ntlmsso_enabled is still set to "Yes"

Average of ratings: -
In reply to Guybrush Threepwood

Re: NTLM not working with moodle 3.4 and IIS 8.5

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

Hi Guybrush,
has any other change happened during this planned migration?

E.g.: PHP version, a new IIS site/vfolder to keep both the old and the new instance side-by-side for a while, ....

HTH,
Matteo

Average of ratings: -
In reply to Matteo Scaramuccia

Re: NTLM not working with moodle 3.4 and IIS 8.5

by Guybrush Threepwood -

  • The IIS site is the same
  • PHP change from version 7.1.6 to 7.2.3
  • I used a new root folder, but set the same NTFS permissions as on the old one
  • I checked that Anonymous access is disabled on ntlmsso_magic.php
Average of ratings: -
In reply to Guybrush Threepwood

Re: NTLM not working with moodle 3.4 and IIS 8.5

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

From your description earlier it sounds like, as far as you can see, NTLM single sign-on isn't been attempted, is that correct?

Is the NTLM SSO Subnet field configured in your Moodle site? From memory, you can't just leave this blank. Double check your clients fall into this subnet. You can check the Moodle site logs to see which IP addresses are being seen by the server.

Average of ratings: -
In reply to Leon Stringer

Re: NTLM not working with moodle 3.4 and IIS 8.5

by Guybrush Threepwood -

No, NTLM SSO is not even attempted.

For the subnet field, i choose the B class subnet that we own. I even tried empty. The client IP falls in the range.

Here's the log:

When opening the page and clicking on Login

2018-05-25 05:56:15 157.26.166.46 GET / - 80 - 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 401 2 5 109
2018-05-25 05:56:15 157.26.166.46 GET / - 80 domain\user 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 303 0 0 484
2018-05-25 05:56:15 157.26.166.46 GET / - 443 - 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 401 2 5 0
2018-05-25 05:56:17 157.26.166.46 GET / - 443 domain\user 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 200 0 0 828
2018-05-25 05:56:17 157.26.166.46 GET /theme/image.php/more/theme/1526288275/favicon - 443 domain\user 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 200 0 0 15
2018-05-25 05:56:17 157.26.166.46 POST /lib/ajax/service.php sesskey=chGGzRFpJ9&info=core_fetch_notifications 443 domain\user 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://learn-dev.s2.rpn.ch/ 200 0 0 62
2018-05-25 05:56:21 157.26.166.46 GET /login/index.php - 443 domain\user 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://learn-dev.s2.rpn.ch/ 200 0 0 234
2018-05-25 05:56:21 157.26.166.46 GET /theme/image.php/more/core/1526288275/help - 443 domain\user 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://learn-dev.s2.rpn.ch/login/index.php 200 0 0 0
2018-05-25 05:56:21 157.26.166.46 POST /lib/ajax/service.php sesskey=chGGzRFpJ9&info=core_fetch_notifications 443 domain\user 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://learn-dev.s2.rpn.ch/login/index.php 200 0 0 31


When entering the credentials and click OK:

2018-05-25 05:57:47 157.26.166.46 POST /login/index.php - 443 domain\user 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://learn-dev.s2.rpn.ch/login/index.php 303 0 0 531
2018-05-25 05:57:47 157.26.166.46 GET /login/index.php testsession=15 443 domain\user 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://learn-dev.s2.rpn.ch/login/index.php 303 0 0 46
2018-05-25 05:57:48 157.26.166.46 GET / - 443 domain\user 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://learn-dev.s2.rpn.ch/login/index.php 200 0 0 1249
2018-05-25 05:57:48 157.26.166.46 POST /lib/ajax/service.php sesskey=Hfma2wkTVv&info=core_message_get_unread_conversations_count 443 domain\user 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://learn-dev.s2.rpn.ch/ 200 0 0 78
2018-05-25 05:57:48 157.26.166.46 POST /lib/ajax/service.php sesskey=Hfma2wkTVv&info=core_fetch_notifications 443 domain\user 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://learn-dev.s2.rpn.ch/ 200 0 0 187
2018-05-25 05:57:48 157.26.166.46 POST /lib/ajax/service.php sesskey=Hfma2wkTVv&info=message_popup_get_unread_popup_notification_count 443 domain\user 157.26.165.37 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://learn-dev.s2.rpn.ch/ 200 0 0 218

I replaced the credentials by "domain\user"

Average of ratings: -
In reply to Guybrush Threepwood

Re: NTLM not working with moodle 3.4 and IIS 8.5

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

Unfortunately I don't have a working environment to compare this with but the first four lines of the first excerpt indicate that the environment isn't configured in line with the documentation.

  1. Line 1 is a request on port 80 for the Moodle home page being rejected by IIS as unauthenticated with the response code 401 Unauthorized.
  2. Line 2 is IE automatically sending the NTLM authentication for its user and being redirected to port 443 for HTTPS access with response code 303 See Other.
  3. Line 3 is IE following that redirect to the HTTPS site but since HTTPS and HTTP count as different sites it again gets rejected by IIS as authenticated with 401 Unauthorized.
  4. Line 4 is IE again sending the NTLM authentication and finally getting the Moodle home page with a 200 OK response.

The Moodle documentation for NTLM single sign-on says to configure the file /auth/ldap/ntlmsso_magic.php for authenticated access but these lines indicate that access to /index.php has also been configured in this way, thus the unexpected 401 responses.

Maybe this is something you've done deliberately and maybe it doesn't actually affect the issue but it's worth looking into. You may have inadvertently configured the whole Moodle folder for authenticated access.

Average of ratings: Useful (1)