Frequently Asked Questions
I installed mod_ntlm and now the Apache service won't start!
Try starting it from the command line, i.e. by typing
C:\Apache> apache [enter]
If you get a message similar to:
Syntax error on line 183 of c:/apache/conf/httpd.conf:
API module structure `ntlm_module' in file c:/apache/modules/ApacheModuleNTLM.dll
is garbled - perhaps this is not an Apache module DSO?
then it is likely that there is a mismatch between the version of Apache
you are using and the version that your binary was compiled for. If you
get any other error message, send a copy to me, using the link at the bottom
of this page.
Where are the specifications for NTLM?
That's a good question. There are specifications for the Microsoft APIs
that I used, in MSDN. As for the actual
contents of each authentication token, the Microsoft doco only says that
developers should treat the token "as opaque" - meaning, I guess, that
they don't want anyone else to know.
A number of people have information (mostly SMB/CIFS related) on bits
and pieces of the NTLM authentication protocol. Most of this was recently
blown out of the water with the introduction of NTLM version 2, by Microsoft
in Windows NT service pack 4.
What does NTLM stand for?
NTLM is the Windows NT / Lan Manager authentication
protocol. The most widespread version is probably v0.12. Version 2 was
introduced with the release of Windows NT service pack 4.
Why would I want to use mod_ntlm?
If you run an internet or intranet web site on Apache for NT, and you'd
like to use the Windows NT user database, then this module is for you.
In addition, NTLM authentication is more secure than basic authentication,
and for a Windows server, is more practical than digest authentication. (MD5
hashes of the users' passwords are not readily available.)
Finally, Microsoft Internet Explorer can be configured to perform this
authentication automatically, without requiring the user to manually enter
their username and password again.
Why wouldn't I just use mod_auth_smb?
Two reasons. First, mod_auth_smb only runs on Unix. Second, it still uses
basic authentication, meaning that passwords are sent across the wire in
cleartext, and that MSIE users are prompted for a username and password.
Can I use mod_ntlm under Unix?
No. Unfortunately, mod_ntlm is not at all portable (it uses many Microsoft-specific APIs).
There is another module called "mod_ntlm" that links against the Samba libraries, that can be used on Unix.
Visit its home page for more details.
You can also try searching modules.apache.org and your favourite search engine.
Why wouldn't I just use basic authentication over SSL?
NTLM is a challenge/response authentication mechanism. This means that
the server never receives a copy of the password in cleartext. Over an
SSL connection, the password is still transmitted to the server.
Another reason is that SSL incurs quite a high performance penalty,
because it requires computationally intensive encryption work to be done.
One alternative that is (in my opinion) better than mod_ntlm is the
use of client certificates and SSL/TLS connections. Unfortunately, there's
no way currently to integrate this with Windows NT security, although this
is allegedly part of Windows 2000.
What can I do with it?
Mod_ntlm authenticates remote users against the local Windows NT machine.
Anyone trying to brute-force an account's password will find that the account
gets locked out after a specified number of attempts - a notable omission
from most basic authentication implementations.
Mod_ntlm can accept NTLM or basic authorization, and can be configured
to set one as the preferred method. This means that it's possible to have
Netscape Navigator, Opera and other non-NTLM clients accessing the restricted
areas of a site - the user just has to key in their username and password
once each session.
Mod_ntlm can be non-authoritative. This means that you can run two (or
more) authorization schemes in parallel: for example, the basic scheme
in Apache's mod_auth.
How about a usage sample?
This is a simple configuration that can be put into an .htaccess file.
AuthType NTLM
NTLMAuth On
NTLMAuthoritative On
NTLMOfferBasic On
require valid-user
Any user who is in the Windows NT user database (of the server or any trusted
domains the server is belongs to) will be granted access, and their username
(DOMAINNAME\Username) will be set in the REMOTE_USER environment variable.
Remember, you need to specify an AuthType whenever you use a
require directive.
Why doesn't Microsoft Internet Explorer 3 work?
It does, but Apache doesn't (as a rule) provide persistent connections
to HTTP/1.0 clients. A workaround has been implemented in mod_ntlm, and
is enabled as follows:
NTLMMSIE3Hack on
Keep-alive connections (also known as persistent connections) are required
for the three-leg NTLM authentication protocol to function correctly.
Why do I get an error when I do basic authentication with the server?
mod_ntlm mimics a client/server authentication when basic authentication is
handled. For this to work correctly, the server must have access to a set of
user credentials. The LocalSystem account (the default for most Apache
installations) has what is termed a NULL set of credentials.
To resolve the issue, you need to run Apache as a user other than LocalSystem.
This may involve creating another user with the Windows NT User Manager, then
using the Services applet in the Control Panel to change the user that the
'Apache' service runs as.
What rights do users require to be authenticated?
Users must have the SE_NETWORK_LOGON_NAME account right to be authenticated.
This right can be granted using the Windows NT User Manager:
- Select User Rights... from the Policies menu.
- Grant the "Access this computer from the network" right to the users you want to verify access for.
This document was last updated Friday, 12th October 2001.