laurent.dami at justice
Mar 29, 2012, 11:56 PM
>De : André Warnier [mailto:aw [at] ice-sa]
>Envoyé : jeudi, 29. mars 2012 11:00
>À : mod_perl list
>Objet : Re: Minor issue with AuthenNTLM
>Michiel Beijen wrote:
>> IP schreef op 2012-03-27 16:03:
>>> I've successfuly managed to make AuthenNTLM work with my PHP script,
>>> but the for some reason the Apache error log is now flooded with
>>> messages like:
>>> [error] Bad/Missing NTLM/Basic Authorization Header for
>> This is actually reported as a (very old) bug in the RT queue for the
>> I was considering forking the module and fixing bugs like these, but I
>> am not quite sure how much sense that makes given the fact that NTLM is
>> deprecated technology.
>Huh ? Who said that ? To my knowledge, 99% of large corporations use NTLM
>Authentication) as their basic AAA mechanism.
If I remember correctly, Apache2::AuthenNTLM only supports NTLMv1, and recent versions of Windows require NTLMv2 by default (but apparently you can force it back to v1 by deploying some policies on the workstations).
About forking the module .. I also considered that option a few years ago; fixing the bug mentioned above would be convenient, and adapting for NTLMv2 would be great ... but I gave up because it seemed very hard to grasp the logic and be able to modify it. The only thing I could come up with was Apache2::AuthenNTLM::Cookie, which keeps the identity in a cookie so that the NTLM handshake occurs only once ... and therefore you have less messages in your Apache log.
Another bug with Apache2::AuthenNTLM is that it uses a semaphore for mutual exclusion; I'm not even sure that this semaphore is really necessary, but anyway sometimes there is a deadlock and requests have to wait for 30 or 40 seconds without reason.
For the future, the way to go is Kerberos; this is what Microsoft is pushing in replacement for NTLM.