NTLM on Windows/Apache system

NTLM on Windows/Apache system

by Red Morris -
Number of replies: 31

Has anyone managed to get the plug-in working on this kind of platform?

I can get to the point where offcampuslogin.php works fine, and oncampuslogin.php just gives me

NTLM/Integrated Authentication on this page has not been enabled, please contact your server admin for details.
Click here to login via the offcampus login page

I've found a couple of NTLM for Apache modules, but they are all for Linux and being neither an Apache or Linux expert translating the instructions to work for Windows is a bit beyond me at the moment.

It seems that all I need to do is set up authentication on that one oncampuslogin page. I'm amazed what sounds quite simple is so hard. Can anybody offer some expertise?

Or maybe this very good looking guide for another product can be used as a base for someone with more knowledge in this area

Average of ratings: -
In reply to Red Morris

Re: NTLM on Windows/Apache system

by Alastair Hole -
We are successfully using ntlm with active directory, using apache2 on Windows Server 2003.
For NTLM in apache, we use 'mod_auth_sspi' http://sourceforge.net/projects/mod-auth-sspi/

I believe it is more stable than mod_ntlm (we have had no problems with it)
Average of ratings: -
In reply to Alastair Hole

Re: NTLM on Windows/Apache system

by Red Morris -

Fantastic! Someone with a mirrored setup to mine.

But unfortunately I'm getting the same results. I've added the mod_auth_sspi.so file to the apache/modules folder, whoami to a new folder under apache called cgi-bin added the following to httpd.conf:

    LoadModule sspi_auth_module modules/mod_auth_sspi.so
    Include c:/xampplite/apache/include/apache2.conf

Made a folder called include and created an apache2.conf which looks like this:

    <Directory "C:/xampplite/moodle/auth/ntlm">
        AllowOverride None
        Options None
        Order allow,deny
        Allow from all

        AuthName "Login using your DOMAIN username and password"

        AuthType SSPI
        SSPIAuth On
        SSPIAuthoritative On
        require valid-user
    </Directory>

And changed the User Authentication page to look at the oncampuslogin.php page.

All that and I still get the same error message. Can you see something wrong in what I've done?

Average of ratings: -
In reply to Red Morris

Re: NTLM on Windows/Apache system

by Alastair Hole -
Go to:
http://yourmoodle.ac.uk/admin/phpinfo.php
Obviously substitute the domain name for your Moodle's name.
Search within that page for 'mod_auth_sspi' - this will confirm that the module has been loaded correctly. Once you have confirmed that, we can take a look at it's configuration and then eventually look at the Moodle configuration.
Average of ratings: -
In reply to Alastair Hole

Re: NTLM on Windows/Apache system

by Red Morris -

Yes, it is there, 6 times.

Thanks for the help. Much appreciated.

Average of ratings: -
In reply to Red Morris

Re: NTLM on Windows/Apache system

by Alastair Hole -
Cool, now we have proved that the module is being loaded.
I assume it is picking up your configuration too as it appears you did both in the same apache config file.

Next, I shall find our sspi apache configuration and we shall compare them.

EDIT:
We have the following configuration:
In the main apache config file we have the following directive:
<Directory "C:/moodle">
    AllowOverride AuthConfig
</Directory>

This allows us to configure authentication using a '.htaccess' per-directory options file for any directory under C:\moodle
This is important to us, as it allows us to avoid editing the main config file to setup additional Moodle installations and therefore without having to restart apache.

Next, create a new text file called '.htaccess' (Windows Explorer may well be too stupid to create a file without a 'filename', you may have to touch the file at the command line and then you can edit it in notepad) in the directory moodle/auth/ntlm. Enter the following:

<Files oncampuslogin.php>
    AuthName "Moodle at My College"
    AuthType SSPI
    SSPIAuth On
    SSPIOfferBasic Off
    SSPIAuthoritative On
    SSPIDomain mycollege.ac.uk
    require valid-user
</Files>

Save the file, restart apache for good measure (to make sure it picked up the AllowOverride directives)

This method works well for us but obviously can be adapted to suit your situation. If things are still broken after this, we'll take a look at the Moodle configuration.
Average of ratings: Useful (1)
In reply to Alastair Hole

Re: NTLM on Windows/Apache system

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

Hi Alastair,

any chance you could add some of this to the Moodledocs page for the NTLM plugin? - maybe by adding an item for 3.2.3

http://docs.moodle.org/en/auth/ntlm

thanks!

smile

Dan

 

*Edit* I've added 3.2.3 and added a link to this discussion - would love someone to flesh out the docs with full instructions!

Average of ratings: -
In reply to Alastair Hole

Re: NTLM on Windows/Apache system

by Red Morris -

I've added the lines to httpd.conf and created the .htaccess file, and nothing seems to have changed.

I read in some of the threads and web-pages that some apache variables need to be set. This may have been for a different module though, as there are about 3 out there. I have a recolection of dbsessions needing to be set to yes. That mean anything?

 

Edit: Actually, something has changed. I now can't log in through offcampuslogin with either LDAP or manual accounts!

Average of ratings: -
In reply to Red Morris

Re: NTLM on Windows/Apache system

by Alastair Hole -
I think I may know what the problem is...
Different web servers and different ntlm modules use different server variables to store the current username.

We have the following line in our oncampuslogin.php to fix this:
$_SERVER['AUTH_USER'] = $_SERVER['REMOTE_USER'];

So, the script is expecting the username to be held in the variable $_SERVER['AUTH_USER'] but apache is setting it in $_SERVER['REMOTE_USER'] instead.

Which version of Moodle are you using? We're using 1.6.1, and have added the code around line 80, above the following line; change:

    if (isset($_SERVER['AUTH_USER']) && $_SERVER['AUTH_USER'] != '') {

to:
   
   $_SERVER['AUTH_USER'] = $_SERVER['REMOTE_USER'];
    if (isset($_SERVER['AUTH_USER']) && $_SERVER['AUTH_USER'] != '') {

This is a bit of a hack, there would be a way of modifying the code to auto detect which variable is present.

Hopefully this will fix it, let me know how you get on
Alastair
Average of ratings: Useful (1)
In reply to Alastair Hole

Re: NTLM on Windows/Apache system

by Red Morris -

OK, panic over. And I was panicing a little as I have to demonstrate Moodle to a lot of people tomorrow!

OK, I now have the AllowOverride line in httpd.conf, the .htaccess file, and the extra line in oncampuslogin.php and it's back to semi-working. I'll describe what happens currently.

If I click on Login I get oncampuslogin.php with the NTLM/Integrated Authentication error, but I can click the link to take me to offcampuslogin.php.

At offcampuslogin I can log in with both LDAP and manual accounts, but with both I get redirected back to oncampuslogin with the same previous error. The only difference is that in the top right it now says 'You are logged in as Red Morris'. So it's worked, but odd behaviour.

Does that help at all?

Edit: It seems that it was commenting the line in httpd.conf that included my include file that broke it. This is what's in the include file:

<Directory "C:/xampplite/moodle/auth/ntlm">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all

    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On

    require valid-user
</Directory>

Average of ratings: -
In reply to Red Morris

Re: NTLM on Windows/Apache system

by Alastair Hole -
What 'Alternate Login URL' do you have set in the ntlm settings page in the Moodle admin?
We're using: /auth/ntlm/index.php

EDIT: Is it working now?
As far as I know, only oncampuslogin.php should be configured to require ntlm authentication. Setting it for the whole ntlm directory requires you to still have valid ntlm credentials to use the offcampuslogin.php
The directives in the .htaccess file set this up, so the directives in your include file will not be needed. (Provided the AllowOverride AuthConfig is set for the main Moodle directory in the main apache config)
Average of ratings: -
In reply to Alastair Hole

Re: NTLM on Windows/Apache system

by Red Morris -

No, it's not working. My last post was a bit confusing. I meant that the without the include file I couldn't log on at all.

The URL was set to oncampuslogin, but setting it to index makes no perceivable difference.

D'Oh! Just found something that's probably having an effect. Another Directory section in httpd.conf for the same directory. I've now merged the one line into it, so it looks like this with the comments removed:

<Directory "C:/xampplite/moodle">
    Options Indexes FollowSymLinks Includes ExecCGI
    
    AllowOverride AuthConfig

    Order allow,deny
    Allow from all
</Directory>

Is there anything in there that could be breaking it?

Average of ratings: -
In reply to Red Morris

Re: NTLM on Windows/Apache system

by Alastair Hole -
The URL must not be set to oncampuslogin.php, otherwise off campus login will never work without authenticating via ntlm as well anyway.

Is your .htaccess file in the moodle/auth/ntlm directory correctly?
If it is, paste what you have in that file and I'll check it for you.

Also, I have added some info into the wiki for this:
http://docs.moodle.org/en/NTLM_authentication#Using_the_mod_auth_sspi_Module_for_Apache_2
Average of ratings: -
In reply to Alastair Hole

Re: NTLM on Windows/Apache system

by Red Morris -

Yeah it is. Here's what I have in it:

<Files oncampuslogin.php>
    AuthName "Moodle at My College"
    AuthType SSPI
    SSPIAuth On
    SSPIOfferBasic Off
    SSPIAuthoritative On
    SSPIDomain midkent (tried with and without .ac.uk)

    require valid-user
</Files>

I'll have a look at your Wiki soon. Just trauling through listings of Apache commands at the moment. Still on that learning curve!

Average of ratings: -
In reply to Red Morris

Re: NTLM on Windows/Apache system

by Alastair Hole -
That all looks OK, however the domain must have the '.ac.uk' if that is what is used in active directory.

You could try the non-htaccess method described in the wiki, it is possible that there is an issue with using htaccess files with your (non standard?) apache installation.
Average of ratings: -
In reply to Alastair Hole

Re: NTLM on Windows/Apache system

by Red Morris -

This is interesting. I'm logged on to my PC as rmorris, the server as administrator, IE session as rmorris, yet when I edit oncampuslogin to add this at line 88:

$user = get_complete_user_data('username',$_SERVER['AUTH_USER']);

echo

$frm->username;

} else if ((!empty(

$SESSION->wantsurl) and strstr($SESSION->wantsurl,'username=guest')) or $loginguest) {

the page then loads with dcadmin at the top, another admin account, but not the one I'm using on the server, nor ldap binding! mixed

Average of ratings: -
In reply to Red Morris

Re: NTLM on Windows/Apache system

by Alastair Hole -
What happens when you echo just $_SERVER['AUTH_USER'] ?

Did you definitely edit the code to include the
$_SERVER['AUTH_USER'] = $_SERVER['REMOTE_USER'];
line as described above?
Average of ratings: -
In reply to Alastair Hole

Re: NTLM on Windows/Apache system

by Red Morris -

Yes I did. I did testing to follow the variable all the way down. It start out in REMOTE_USER as midkent/dcadmin (so that line IS needed), gets passed to AUTH_USER, strips the domain off, and ends up as dcadmin. But where the hell is this coming from? Of course it's not going to verify against my logon if it's trying with dcadmin.

Edit: Just tried logging on as dcadmin and it didn't work. Another person in the team gets her own logon id, but still no successful logon

Average of ratings: -
In reply to Red Morris

Re: NTLM on Windows/Apache system

by Alastair Hole -
OK, this suggests that IE is passing the username as dcadmin.
Make sure you logout, restart the browser and try again.
Alternatively, use firefox to test it manually (it will prompt you for a u/p)
Average of ratings: -
In reply to Alastair Hole

Re: NTLM on Windows/Apache system

by Red Morris -

Oooo! Some sucess! Logging on to another machine as me worked. The woman in my team I used to test earlier doesn't work on her machine or the one that works for me though, but that may be because her log on is non-standard.

I'm going to do a bit more testing with other accounts, but we're getting there. Yay!

Average of ratings: -
In reply to Red Morris

Re: NTLM on Windows/Apache system

by Alastair Hole -
Woohoo! We got there eventually.
It now seems like the apache/Moodle setup is complete and there are just a few remaining issues with people's AD accounts and the way they log in etc.

Hope you get them nailed, and good luck with your presentation

smile
Average of ratings: -
In reply to Alastair Hole

Re: NTLM on Windows/Apache system

by Red Morris -

Already got the woman in my teams account working, and tested two test student accounts successfully too. The only outstanding anomaly is logging on as me on my machine, but I can live with that!

Thanks so much for leading me through it all Alastair. Having this working at the presentation tomorrow will put a few of those Blackboard advocates in their place! big grin

Average of ratings: -
In reply to Red Morris

Re: NTLM on Windows/Apache system

by Alastair Hole -
Glad to help smile
As you say, auto-login can really be critical for some people, especially when moving from commercial systems that already support it out of the box.
Average of ratings: -
In reply to Red Morris

Re: NTLM on Windows/Apache system

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators
Good to hear you've managed to get it working! - sometimes NTLM authentication gets screwed up in a users profile (not sure exactly how)
if you recreate your AD profile it might fix things up! - also theres a setting in IE that specifies whether to login automatically or "always prompt"

In IE -> internet options -> security tab > Local Intranet zone -> custom -> scroll down the bottom of one of those tabs - and set it to "automatically logon only in intranet zone" - also make sure that your internal site is managed as an internal address by IE.

hopefully that all makes sense!

good luck!

smile

Dan
Average of ratings: -
In reply to Dan Marsden

Re: NTLM on Windows/Apache system

by Red Morris -

Thanks Dan. Security was already set to that, and it works OK for me on another machine, so I think it must be a local profile issue. We don't have roaming profiles.

May I suggest adding in Alastairs suggestion to the next version at around line 77 so that people using Apache don't have to hack the code? I think it's pretty safe.

if (isset(

$_SERVER['REMOTE_USER']) && $_SERVER['REMOTE_USER'] != '') {
      $_SERVER['AUTH_USER'] = $_SERVER['REMOTE_USER'];
}
Average of ratings: -
In reply to Red Morris

Re: NTLM on Windows/Apache system

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

No worries - yeah - changing the server var used was something I meant to do a while back - someone else mentioned that Apache was using the REMOTE_USER instead of the AUTH_USER - turns out that IIS returns both, so I modified the code yesterday to change it to REMOTE_USER by default (but allow the user to change it slightly easier if required)

smile

Dan

Average of ratings: -
In reply to Red Morris

Re: NTLM on Windows/Apache system

by Vladimír Franc -

Watch Out! If you want to use NTML you need SSL secured connections! If you use normal http connection, it won't work.

More information: http://tortoisesvn.net/docs/release/TortoiseSVN_en/tsvn-serversetup-apache.html

Average of ratings: -
In reply to Vladimír Franc

Re: NTLM on Windows/Apache system

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
I can assure you that it *does* work with normal (non-SSL) http connections smile

I have two different test environment (W2K3 and W2K8) that work without SSL connections (disclaimer: they are running on the same same sarver that acts as the domain controller for the domain).

Saludos.
Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: NTLM on Windows/Apache system

by Malcolm Rivett -

I'm glad there'sdome documentation out there, I would love a ntlm doc that actually explains it clear enough for a windows / apache 2.2 moodle install.

I just built my moodle server 2 days ago, and locked myself out of it yesterday cause I tried activating ntlm via the ldap with plugin, when I was working on the authentication, I couldn't get back into the configuration, cause there was no way to override the ntlm config, and I couldn't find documentation on how to override and just login to disable the setting!

We've used moodle before,but my experience with it is still intermediate if that.

So I've rebuilt the server once more and im starting from scratch, with just leap auth, but, I would love to get it working to allow simple sign on, so anyone on authenticated my network is automatically detected, as it is accessed, via our LAN.

Ill probably try again on a mirrored config of the server when time allows.

But if someone could put it in simpler terms it would be great, the instructions so far, haven't been very descriptive, regarding where to insert what line of code intoconfig file. And an explanation of each line of code would help. And if the specific configuration they are describing is suitable for what specific version of moodle / apache.

In additionm, as NTLM is so new to me, I want to make sure, is there any AD pre requisite settings, that maybe needed in addition to what is documented?

Average of ratings: -
In reply to Malcolm Rivett

Re: NTLM on Windows/Apache system

by Dave Perry -
Picture of Testers

This isn't working for me either (m2.5, 2008 AD, Apache 2.2.21). I've done the AllowOverride AuthConfig for the whole moodle site's directory in the Apache config, and done the .htaccess version. SSPI is being loaded according to phpinfo.

Average of ratings: -