Frequently Asked Questions

I installed mod_ntlm and now the Apache service won't start!

Try starting it from the command line, i.e. by typing
C:\Apache> apache [enter]
If you get a message similar to:
Syntax error on line 183 of c:/apache/conf/httpd.conf:
API module structure `ntlm_module' in file c:/apache/modules/ApacheModuleNTLM.dll is garbled - perhaps this is not an Apache module DSO?
then it is likely that there is a mismatch between the version of Apache you are using and the version that your binary was compiled for. If you get any other error message, send a copy to me, using the link at the bottom of this page.

Where are the specifications for NTLM?

That's a good question. There are specifications for the Microsoft APIs that I used, in MSDN. As for the actual contents of each authentication token, the Microsoft doco only says that developers should treat the token "as opaque" - meaning, I guess, that they don't want anyone else to know.

A number of people have information (mostly SMB/CIFS related) on bits and pieces of the NTLM authentication protocol. Most of this was recently blown out of the water with the introduction of NTLM version 2, by Microsoft in Windows NT service pack 4.

What does NTLM stand for?

NTLM is the Windows NT / Lan Manager authentication protocol. The most widespread version is probably v0.12. Version 2 was introduced with the release of Windows NT service pack 4.

Why would I want to use mod_ntlm?

If you run an internet or intranet web site on Apache for NT, and you'd like to use the Windows NT user database, then this module is for you.

In addition, NTLM authentication is more secure than basic authentication, and for a Windows server, is more practical than digest authentication. (MD5 hashes of the users' passwords are not readily available.)

Finally, Microsoft Internet Explorer can be configured to perform this authentication automatically, without requiring the user to manually enter their username and password again.

Why wouldn't I just use mod_auth_smb?

Two reasons. First, mod_auth_smb only runs on Unix. Second, it still uses basic authentication, meaning that passwords are sent across the wire in cleartext, and that MSIE users are prompted for a username and password.

Can I use mod_ntlm under Unix?

No. Unfortunately, mod_ntlm is not at all portable (it uses many Microsoft-specific APIs). There is another module called "mod_ntlm" that links against the Samba libraries, that can be used on Unix. Visit its home page for more details. You can also try searching and your favourite search engine.

Why wouldn't I just use basic authentication over SSL?

NTLM is a challenge/response authentication mechanism. This means that the server never receives a copy of the password in cleartext. Over an SSL connection, the password is still transmitted to the server.

Another reason is that SSL incurs quite a high performance penalty, because it requires computationally intensive encryption work to be done.

One alternative that is (in my opinion) better than mod_ntlm is the use of client certificates and SSL/TLS connections. Unfortunately, there's no way currently to integrate this with Windows NT security, although this is allegedly part of Windows 2000.

What can I do with it?

Mod_ntlm authenticates remote users against the local Windows NT machine. Anyone trying to brute-force an account's password will find that the account gets locked out after a specified number of attempts - a notable omission from most basic authentication implementations.

Mod_ntlm can accept NTLM or basic authorization, and can be configured to set one as the preferred method. This means that it's possible to have Netscape Navigator, Opera and other non-NTLM clients accessing the restricted areas of a site - the user just has to key in their username and password once each session.

Mod_ntlm can be non-authoritative. This means that you can run two (or more) authorization schemes in parallel: for example, the basic scheme in Apache's mod_auth.

How about a usage sample?

This is a simple configuration that can be put into an .htaccess file.
AuthType NTLM

NTLMAuthoritative On
NTLMOfferBasic On

require valid-user

Any user who is in the Windows NT user database (of the server or any trusted domains the server is belongs to) will be granted access, and their username (DOMAINNAME\Username) will be set in the REMOTE_USER environment variable.

Remember, you need to specify an AuthType whenever you use a require directive.

Why doesn't Microsoft Internet Explorer 3 work?

It does, but Apache doesn't (as a rule) provide persistent connections to HTTP/1.0 clients. A workaround has been implemented in mod_ntlm, and is enabled as follows:
Keep-alive connections (also known as persistent connections) are required for the three-leg NTLM authentication protocol to function correctly.

Why do I get an error when I do basic authentication with the server?

mod_ntlm mimics a client/server authentication when basic authentication is handled. For this to work correctly, the server must have access to a set of user credentials. The LocalSystem account (the default for most Apache installations) has what is termed a NULL set of credentials.

To resolve the issue, you need to run Apache as a user other than LocalSystem. This may involve creating another user with the Windows NT User Manager, then using the Services applet in the Control Panel to change the user that the 'Apache' service runs as.

What rights do users require to be authenticated?

Users must have the SE_NETWORK_LOGON_NAME account right to be authenticated.

This right can be granted using the Windows NT User Manager:

  1. Select User Rights... from the Policies menu.
  2. Grant the "Access this computer from the network" right to the users you want to verify access for.

This document was last updated Friday, 12th October 2001.