Authentication

Hi

People may have seen a post from me a few months ago saying that I had problems with getting NTLM working on IIS5.0 with Moodle. I have been investigating this more and more, and finally worked out it is the server that Moodle is installed on which is causing the problems. The NTLM protocol works fine on the server for basic files (i.e. our existing Intranet) and the NTLM module works fine for a Windows 2003 Member server in our domain with Moodle 1.6.1. This also works for an XP workstation.

With this, I submitted a help request on the Microsoft Forums, as it did not appear to be a Moodle issue but instead Windows.

Does anyone have any light to shed on this, as this problem has been going on for months now and I am being to loose the will....! The server with the problem NTLM moodle on is a good server (2.8GHz dual Intel Xeons with 2GB Ram, Win2000 Svr) but do not want to rebuild it to 2003 as it has a few other custom apps on it which I am convinced will break if moved off.

Here is the full situation + replies, I posted to Microsoft.

NTLM problems

Hi, I have been trying to troubleshoot an extremely frustrating problem with
NTLM with a 3rd party Virtual Learning Environment webapp called Moodle
(http://moodle.org). This is running under Windows 2000 Server IIS with PHP
ISAPI module and MySQL Database.

The initial installation works perfectly and with code included in the
package, users are able to authenticate into Moodle using LDAP (in this case
Active Directory). This installation to IIS runs completely under the
Anonymous user account so there have never been any problems with
authentication.

Another developer though has created an extension onto Moodle which allows
for NTLM authentication. This was applied to a test version of Moodle (on the
same server "SERVERA" as the working non NTLM version) but did not work,
instead kept on prompting the Connect to.... NTLM authorization box. When a
correct username was typed in here, it redisplayed. Following 2 more
attempts, a 401.3 error "Access Denied by ACL on resource" is generated.

I have since installed the same webapp (it is all open source) onto an XP
machine (also on the domain) and this works perfectly. To make sure it was
not a routing/firewall/port blocking issue, I installed moodle again onto an
old server with a fresh install of 2003 Server. (This second server is on the
same subnet as the problem server) and this works fine.

To try and diagnose the problem, I enabled security auditing on SERVERA and
then looked at the logs when I tried to access the test moodle (this has been
setup as a virtual directory) i have 3 success audits

Event ID 576 - Privilege Use
Event ID 540 - Logon/Logoff
Event ID 538 - Logon/Logoff

Following these, I have 2 identical Failure Audits

Event ID 681 - The logon to account: <NAME>@<FQDN> by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation <PCNAME> failed. The
error code was: 3221225572

I have since googled the error code and found out via kb326985 that the
specified user does not exist.

I initially thought that the server may not properly be part of the domain
(i.e. the SAM or something was corrupt) but I have installed the Kerbtray app
and it shows all of the kerberos keys as being correct and current, so i am a
bit lost on how to fix this. I really do not want to rebuild/upgrade the
server due to a few awkard webapps which I am sure would break in the
transition.

I also was thinking that NTLM was not working at all on the server but the
fact that the security success audits are working and resolving the actual
username also leads me to think that NTLM is working correctly (well sort of).

Server: Windows 2000 Server, IIS5
Domain: Windows 2000 Mixed Mode Active Directory

I have tried to include all the information needed but I am sure there are
bits which i have missed!

===================
First, you should get confirmation from moodle's community that
moodle's NTLM support works on Windows 2000 Server. Yes, technically,
no one is responsible for giving you this information, but the moodle
community is most able to provide this information.

Also, can you verify that the moodle NTLM Extension works at all - I
assume that is what you meant earlier with the tests on XP Pro and
Windows Server 2003.

Now, I want to first clarify whether it is NTLM broken in IIS or NTLM
broken in moodle. I would create a IIS vdir on SERVERA that only has
NTLM enabled (specifically, Anonymous authentication is disabled), put
in a plain Default.htm in there, and try to access it from a web
browser. The result of this will tell us whether NTLM is broken on the
server or is it just broken within moodle's support on IIS5.

If NTLM works in the IIS vdir on SERVERA, then the problem looks to be
with the moodle extension. If NTLM fails on IIS, then I would start
looking at the server's configuration.

==========
I have just tried the Virtual Directory test and all works well, the page is
displayed properly with just NTLM enabled on the VDir.

Yes you are correct that the NTLM addin works correctly on XP and 2003. At
home on a completely separate setup, I created a domain with one workstation
(VirtualPC) running 2000 server and installed moodle to that and everything
worked correctly there also. It would seem that there is something happening
on the ServerA configuration or the link from there into our AD.

Could anything from GPO stop this sort of thing?

Thank you for your help with this matter as it does make it quite awkward to
first diagnose and then get a solution due to fact it is open source but
running on proprietary products!

Can anyone else think of any other solutions or tests which could be run?
Would any particular test in the IIS Authentication and Access Control tester
be of help?

Ian

I personally feel that the NTLM module will work on any IIS (5,5.1 and 6) and instead there is something wrong either with the server or with the configuration.

Any help with this issue would be much appreciated.

Ian