NTLMSSP authentication mechanism with Apache #264
-
Hello, We would like to activate NTLMSSP authentication with Apache server and mod_auth_gssapi support, but we are not able to make it working. We keep on having HTTP 401 unauthorized error when trying to access to our protected application path. Here is our configuration in Apache :
The error message in Apache logs is : It seems that Apache does not recognize ntlmssp. Do we miss something here ? Is there any other modules we should install ? Please note that if we replace ntlmssp with krb5 as authentication mechanism, all is working fine. We are using the latest mod_auth_gssapi 1.6.3 and krb5-libs-1.15.1. Many thanks in advance for your help. KR, |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 7 replies
-
In order to offer gssntlmssp you need to have the gssntlmssp package installed. |
Beta Was this translation helpful? Give feedback.
-
If you are offering exclusively gssntlmssp you also have no need for a keytab, but you will either need a system joined via winbindd to an AD domain, or you will need to provide a password file that gssntlmssp can use to check user's passwords against. |
Beta Was this translation helpful? Give feedback.
-
Hi,i'm working with v-kapuangan on this subject. To make things clear, ve have 2 differents use case to authenticate our users depending on their workstation configuration. -The first one is when the user on his windows machine is logged on the same AD than our Apache Server configured with apache_mod_gssapi and a keytab. The protocol used is Kerberos in this case. The first user case works perfectly. We have configured the krb5 mech and setup the GssapiCredStore with a keytab. The second user case is not working : despite having compiled apache_mod_gssapi with gss-ntlmssp, created a directory /etc/gss/mech, and having configured the On the web browser, we first have a prompt for login that we fulfill with OUR_DOMAIN\username and the corresponding password. With Wireshark, we have the NTLMSSP_NEGOCIATE. But the browser doesn't respond to the challenge (ERR_INVALID_RESPONSE in the browser). We don't understand how the gss-ntlmssp should be plugged with our Active Directory. Can it use the keytab we have configured for our Kerberos use case ? For exemple, In the challenge, we see a lot of target properties : When we look onto another Website that successfully use an NTLM sequence (on a IIS Server but on the same AD), we have target_name <OUR_DOMAIN> We think that can explain why the browser doesn't complete the challenge. How can we configure these properties so that they use our AD configuration? |
Beta Was this translation helpful? Give feedback.
-
For me, the issue was that www-data was not im winbindd_priv |
Beta Was this translation helpful? Give feedback.
-
Thanks for pointing that out. Sadly, ntlmssp is not currently supported by gssproxy: https://github.com/gssapi/gssproxy/blob/c6847f012b326a7e27dbe79d8df0faafdeb2dbef/src/gp_creds.c |
Beta Was this translation helpful? Give feedback.
For me, the issue was that www-data was not im winbindd_priv