Hi,
I've got a problem trying to set up Apache::AuthenNTLM to secure the
administration area for our (mod_perl-based) CMS.
The server setup is as follows:
* A lightweight port-80 instance of Apache, which deals with
all requests for static content, and proxies everything else
over to...
* A mod_perl-centric, port-8080 instance of Apache, which
deals with all the dynamic, mod_perl-generated content
I've setup the authentication on the administration area in the
httpd.conf file for the backend, port-8080 server to use AuthenNTLM.
When I access a test script directly on the port:8080 server, the
authentication works a dream. This seems to confirm, to me, that the
settings are basically correct.
However, when I try to access the authenticated area through the
frontend, port-80 server, the authentication doesn't work. The client
gets a variation on the "little grey box" of Basic Authentication, this
time with a "domain" field added. Entering details into the box only
brings the box back, however.
KeepAlive is on for both Apaches. I've enabled "PerlSetVar ntlmdebug
2", and the output for each situation is below. I've asterisked out
anything that I think might be unwise to post on a public forum; if it
turns out that some of that is needed to figure out what's going on,
I'll be glad to revise that heuristic!
Firstly, the direct attempt (which worked):
[14925] AuthenNTLM: Config Domain = domain1 pdc = **** bdc = ****
[14925] AuthenNTLM: Config Default Domain = domain1
[14925] AuthenNTLM: Config Fallback Domain =
[14925] AuthenNTLM: Config AuthType = ntlm AuthName = CMS NTLM
Authentication Test
[14925] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[14925] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative =
on
[14925] AuthenNTLM: Config Semaphore key = 23754 timeout = 2
[14925] AuthenNTLM: Authorization Header <not given>
[Mon Jul 5 15:03:23 2004] [error] access to /res/env.cgi failed for ,
reason: Bad/Missing NTLM/Basic Authorization Header for /res/env.cgi
[14925] AuthenNTLM: Start NTLM Authen handler pid = 14925, connection =
156590692 conn_http_hdr = Keep-Alive main = cuser = remote_ip = ****
remote_port = **** remote_host = < > version = 0.23
[14925] AuthenNTLM: Object exists user = \
[14925] AuthenNTLM: Authorization Header NTLM
TlRMTVNTUAABAAAAB7IAoAcABwAoAAAACAAIACAAAABXQkMtVFMtMURPTUFJTjE=
[14925] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 178 0 160 7 0
7 0 40 0 0 0 8 0 8 0 32 0 0 0 87 66 67 45 84 83 45 49 68 79 77 65 73 78
49
[14925] AuthenNTLM: protocol=NTLMSSP, type=1,
flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET),
flags2=178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=7,
domain offset=40, host length=8, host offset=32, host=WBC-TS-1,
domain=DOMAIN1
[14925] AuthenNTLM: Connect to pdc = **** bdc = **** domain = domain1
[14925] AuthenNTLM: timed out while waiting for lock (key = 23754)
[14925] AuthenNTLM: leave lock
[14925] AuthenNTLM: Send: 78 84 76 77 83 83 80 0 2 0 0 0 0 0 0 0 40 0 0
0 1 130 0 0 216 117 139 24 181 48 159 61 0 0 0 0 0 0 0 0
[14925] AuthenNTLM: charencoding = 1
[14925] AuthenNTLM: flags2 = 130
[14925] AuthenNTLM: nonce=�u�0=
[14925] AuthenNTLM: Send header: NTLM
TlRMTVNTUAACAAAAAAAAACgAAAABggAA2HWLGLUwnz0AAAAAAAAAAA==
[14925] AuthenNTLM: Start NTLM Authen handler pid = 14925, connection =
156590692 conn_http_hdr = Keep-Alive main = cuser = remote_ip = ****
remote_port = **** remote_host = < > version = 0.23
[14925] AuthenNTLM: Object exists user = \
[14925] AuthenNTLM: Authorization Header NTLM
TlRMTVNTUAADAAAAGAAYAG4AAAAYABgAhgAAAA4ADgBAAAAAEAAQAE4AAAAQABAAXgAAAAAAAACeAAAABYIAAEQATwBNAEEASQBOADEAYQByAHQAaQBjAGwAZQA3AFcAQgBDAC0AVABTAC0AMQBDF+KMFTHlqAmWaSgr17JBJVr6fpDj9dGBGDYhHPRVxYNQsYcPvPYUSpQoEYrg0T8=
[14925] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 3 0 0 0 24 0 24 0 110 0
0 0 24 0 24 0 134 0 0 0 14 0 14 0 64 0 0 0 16 0 16 0 78 0 0 0 16 0 16 0
94 0 0 0 0 0 0 0 158 0 0 0 5 130 0 0 68 0 79 0 77 0 65 0 73 0 78 0 49 0
97 0 114 0 116 0 105 0 99 0 108 0 101 0 55 0 87 0 66 0 67 0 45 0 84 0
83 0 45 0 49 0 67 23 226 140 21 49 229 168 9 150 105 40 43 215 178 65
37 90 250 126 144 227 245 209 129 24 54 33 28 244 85 197 131 80 177 135
15 188 246 20 74 148 40 17 138 224 209 63
[14925] AuthenNTLM: protocol=NTLMSSP, type=3, user=****, host=****,
domain=DOMAIN1, msg_len=0
[14925] AuthenNTLM: Verify user **** via smb server
[14925] AuthenNTLM: OK pid = 14925, connection = 156590692 cuser = ****
ip = ****
Next, the attempt via the port-80 Apache proxy. The following is taken
from the port-8080 error log, so at least some of the data is being
proxied properly.
[14927] AuthenNTLM: Config Domain = domain1 pdc = **** bdc = ****
[14927] AuthenNTLM: Config Default Domain = domain1
[14927] AuthenNTLM: Config Fallback Domain =
[14927] AuthenNTLM: Config AuthType = ntlm AuthName = CMS NTLM
Authentication Test
[14927] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[14927] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative =
on
[14927] AuthenNTLM: Config Semaphore key = 23754 timeout = 2
[14927] AuthenNTLM: Authorization Header <not given>
[Mon Jul 5 15:04:48 2004] [error] access to /res/env.cgi failed for ,
reason: Bad/Missing NTLM/Basic Authorization Header for /res/env.cgi
[14928] AuthenNTLM: Config Domain = domain1 pdc = **** bdc = ****
[14928] AuthenNTLM: Config Default Domain = domain1
[14928] AuthenNTLM: Config Fallback Domain =
[14928] AuthenNTLM: Config AuthType = ntlm AuthName = CMS NTLM
Authentication Test
[14928] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[14928] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative =
on
[14928] AuthenNTLM: Config Semaphore key = 23754 timeout = 2
[14928] AuthenNTLM: Authorization Header NTLM
TlRMTVNTUAABAAAAB7IAoAcABwAoAAAACAAIACAAAABXQkMtVFMtMURPTUFJTjE=
[14928] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 178 0 160 7 0
7 0 40 0 0 0 8 0 8 0 32 0 0 0 87 66 67 45 84 83 45 49 68 79 77 65 73 78
49
[14928] AuthenNTLM: protocol=NTLMSSP, type=1,
flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET),
flags2=178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=7,
domain offset=40, host length=8, host offset=32, host=****,
domain=DOMAIN1
[14928] AuthenNTLM: Connect to pdc = **** bdc = **** domain = domain1
[14928] AuthenNTLM: timed out while waiting for lock (key = 23754)
[14928] AuthenNTLM: leave lock
[14928] AuthenNTLM: Send: 78 84 76 77 83 83 80 0 2 0 0 0 0 0 0 0 40 0 0
0 1 130 0 0 237 54 160 59 210 45 73 31 0 0 0 0 0 0 0 0
[14928] AuthenNTLM: charencoding = 1
[14928] AuthenNTLM: flags2 = 130
[14928] AuthenNTLM: nonce=�6�;�-I
[14928] AuthenNTLM: Send header: NTLM
TlRMTVNTUAACAAAAAAAAACgAAAABggAA7TagO9ItSR8AAAAAAAAAAA==
[14931] AuthenNTLM: Config Domain = domain1 pdc = **** bdc = ****
[14931] AuthenNTLM: Config Default Domain = domain1
[14931] AuthenNTLM: Config Fallback Domain =
[14931] AuthenNTLM: Config AuthType = ntlm AuthName = CMS NTLM
Authentication Test
[14931] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[14931] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative =
on
[14931] AuthenNTLM: Config Semaphore key = 23754 timeout = 2
[14931] AuthenNTLM: Authorization Header NTLM
TlRMTVNTUAADAAAAGAAYAG4AAAAYABgAhgAAAA4ADgBAAAAAEAAQAE4AAAAQABAAXgAAAAAAAACeAAAABYIAAEQATwBNAEEASQBOADEAYQByAHQAaQBjAGwAZQA3AFcAQgBDAC0AVABTAC0AMQBiv3n6p8JPs2uUTnt8MF2EP4hRjEh2tCiqD+KoKwflU3uqx/pgoASpny765wJy6Hp=
[14931] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 3 0 0 0 24 0 24 0 110 0
0 0 24 0 24 0 134 0 0 0 14 0 14 0 64 0 0 0 16 0 16 0 78 0 0 0 16 0 16 0
94 0 0 0 0 0 0 0 158 0 0 0 5 130 0 0 68 0 79 0 77 0 65 0 73 0 78 0 49 0
97 0 114 0 116 0 105 0 99 0 108 0 101 0 55 0 87 0 66 0 67 0 45 0 84 0
83 0 45 0 49 0 98 191 121 250 167 194 79 179 107 148 78 123 124 48 93
132 63 136 81 140 72 118 180 40 170 15 226 168 43 7 229 83 123 170 199
250 96 160 4 169 159 46 250 231 2 114 232 122
[14931] AuthenNTLM: protocol=NTLMSSP, type=3, user=****, host=****,
domain=DOMAIN1, msg_len=0
[Mon Jul 5 15:04:50 2004] [error] access to /res/env.cgi failed for ,
reason: SMB Server connection not open in state 3 for /res/env.cgi
Any ideas would be very much appreciated.
Cheers,
Andrew.
--
::
article seven Andrew Green
automatic internet [EMAIL PROTECTED] | www.article7.co.uk
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
