|
Hello all, Recently I had problem with
Apache::AuthenNTLM and find no similar
problem description in inet. Problem was: I’ve installed latest Apache::AuthenNTLM module on Apache/1.3.33 (Unix) mod_perl/1.29 mod_ssl/2.8.23 OpenSSL/0.9.8 FreeBSD 4.10. Apache configuration was: <Location /inet> PerlAuthenHandler Apache::AuthenNTLM AuthType "ntlm" AuthName test require valid-user PerlAddVar ntdomain "samara sam-dc01 sam-msg01" PerlSetVar fallbackdomain samara PerlSetVar defaultdomain samara
PerlSetVar ntlmdebug 2 # PerlSetVar ntlmsemtimeout 10 </Location> sam-dc01 and sam-msg01 resolved locally though /etc/hosts
file When I try to get
page by IE - server return nothing. In the error log
I find following: [Fri Nov
25 19:31:22 2005] [error] access
to /inet failed for , reason: Bad/Mis sing NTLM/Basic Authorization Header for /inet [8473] AuthenNTLM: Config Domain = samara pdc = sam-dc01 bdc = sam-msg01 [8473] AuthenNTLM: Config Default Domain = samara [8473] AuthenNTLM: Config Fallback Domain = samara [8473] AuthenNTLM: Config AuthType = ntlm AuthName = test
[8473] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0 [8473] AuthenNTLM: Config NTLMAuthoritative = on BasicAuthoritative = on [8473] AuthenNTLM: Config Semaphore key = 23754 timeout = 2 [8473] AuthenNTLM: Config SplitDomainPrefix = [8473] AuthenNTLM: Authorization Header NTLM
TlRMTVNTUAABAAAAB7IIoAYABgApAAAACQA JACAAAABBMTE1LU9BRzJTQU1BUkE=
[8473] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 178 8 160 6 0 6 0 41 0 0 0 9 0 9 0 32 0 0 0 65 49 49
53 45 79 65 71 50 83 65 77 65 82 65 [8473] AuthenNTLM:
protocol=NTLMSSP, type=1,
flags1=7(NEGOTIATE_UNICODE,NEGOTIAT E_OEM,REQUEST_TARGET),
flags2=178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain
length=6, domain offset=41, host length=9, host offset=32,
host=A115-OAG2, domai n=SAMARA
[8473] handler type
== 1
[8473] AuthenNTLM: Connect to pdc
= sam-dc01 bdc = sam-msg01 domain
= samara [8473] AuthenNTLM: timed outwhile waiting for lock
(key = 23754) [8473] AuthenNTLM: leave lock
[8473] AuthenNTLM: verify handle smbhandle ==
147179520 [8473] AuthenNTLM: Send: 78 84 76 77 83 83 80 0 2 0 0 0 0 0 0 0
40 0 0 0 1 130 0 0 27 111 252 103 93
177 248 162 0 0 0 0 0 0 0 0 [8473] AuthenNTLM: charencoding = 1 [8473] AuthenNTLM: flags2 =
130
[8473] AuthenNTLM:
nonce=.o¥g]╠£╒ [8473] AuthenNTLM: Send header: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAG2/8Z12x+KI AAAAAAAAAAA==
[8473] AuthenNTLM: verify handle = 1 smbhandle == 147179520 At first I’ve checked
for a connectivity
issue, I’ve tracked client-server and server-PDC traffic – no packets
were lost. Checked Apache config and
see there keepalive=on. Stumble there for a
while… Then I googled for NTLM and found 1: C --> S GET ... 2: C <-- S 401 Unauthorized WWW-Authenticate: NTLM 3: C --> S GET ... Authorization: NTLM <base64-encoded type-1-message> 4: C <-- S 401 Unauthorized WWW-Authenticate: NTLM <base64-encoded
type-2-message> 5: C --> S GET ... Authorization: NTLM <base64-encoded type-3-message> 6: C <-- S 200 Ok at http://www.innovation.ch/personal/ronald/ntlm.html Checked my case against it by
network monitor and found every step but 6th present. Then checked access.log and found only
two GETs for a single
request. Closer look at the
packets reveals that keepalive actually wasn’t work: Clients sent requests with
“Connection: Keep-Alive“ and server responds
with “Connection: close“. Also I noticed that requests
were sent by http 1.1 and
responses by http 1.0 So finally I found that trouble was
caused by: BrowserMatch
".*MSIE.*" downgrade-1.0 force-response-1.0 Hope my troubleshooting will be useful
for someone. Best regards, Olkhin Andrey |
