permalink

1

Leopard + Apache 2 + NTLM + PHP + Integrated Windows Authentication

Everyday we face lot of challenges and today it was to make our CMS work with NTLM(NT LAN Manager Windows authentication protocol) Single Sign-On. I hope you didn’t get any shit what I meant above and so was I when I got the requirement.

In windows network we can connect all computers to a domain and it will have a domain controller. Once your computer is connected to the domain you will be asked enter your domain user name and password when ever you log on to system. After you log in it will use the same credentials to authenticated all the domain related objects like network, files, exchange and so on. In most of the corporations this how they manage the systems with group policies applied to each users.

In Internet explorer there is a feature to use the same credentials to authenticate intranet websites. This is Single Sign-ON. There is very nice article which can help you if you want to set it up.
internet-explorer-authentication-setting

So my application should be able to detect whether the browser is authenticated already or raise if needed and it will validate the credential with domain controller. There is no direct methods available in PHP to achieve this. So to achieve this I had to rely on NTLM auth module for Apache. It was pretty outdated and Raimonds Simanovskis has updated the source tree and had released a patched version here. I was able to compile it without any issues. Download and extract the files and run this.


#sudo /usr/sbin/apxs -i -a -c mod_ntlm.c
...
Libraries have been installed in:
/usr/libexec/apache2
...
chmod 755 /usr/libexec/apache2/mod_ntlm.so
[activating module `ntlm' in /etc/apache2/httpd.conf]

Most important part adding ntlm module to Apache is done. The next step in make some some modification in htaccess file. Configuration setting can be read in detail from here.

AuthName NTAuth
AuthType NTLM
NTLMAuth on
NTLMAuthoritative on
NTLMDomain DOMAIN-NAME
NTLMServer SERVER1
NTLMBackup SERVER1
NTLMLockfile /tmp/_my.lck
require valid-user

Make sure that the computer where you have installed apache should be able to connect to domain controller. Always use full domain names and not IP as it will give errors while connecting [reference] . You are fully set now and if everything is correct you will get these variables in PHP with current logged in details.


$_SERVER['AUTH_TYPE'] => NTLM
$_SERVER['REMOTE_USER'] => xxxxx
$_SERVER['REMOTE_PORT'] => xxxx

I have tested this with Internet explorer and it will work without asking password. For other browsers like Firefox, Chrome, Safari it will prompt for authentication. Thats all folks 😉

1 Comment