Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ModPerl: ModPerl

Minor issue with AuthenNTLM

 

 

ModPerl modperl RSS feed   Index | Next | Previous | View Threaded


ip4work at gmail

Mar 27, 2012, 7:03 AM

Post #1 of 9 (2802 views)
Permalink
Minor issue with AuthenNTLM

Hi everyone,

I've successfuly managed to make AuthenNTLM work with my PHP script,
but the for some reason the Apache error log is now flooded with
messages like:
[error] Bad/Missing NTLM/Basic Authorization Header for /....somefile.php

It seems the messages is generated for every single file the browser
tries to read.

From the NTLM side everything works, user is correctly authenticated,
the problem are only these "mysterious" messages.

If this isn't the right place to ask, please point me in the right direction :)

Any help is appreciated, thanks.


michiel.beijen at otrs

Mar 28, 2012, 11:18 PM

Post #2 of 9 (2715 views)
Permalink
Re: Minor issue with AuthenNTLM [In reply to]

Hi,

IP schreef op 2012-03-27 16:03:

> I've successfuly managed to make AuthenNTLM work with my PHP script,
> but the for some reason the Apache error log is now flooded with
> messages like:
> [error] Bad/Missing NTLM/Basic Authorization Header for
> /....somefile.php

This is actually reported as a (very old) bug in the RT queue for the
module:
https://rt.cpan.org/Public/Bug/Display.html?id=39602

I was considering forking the module and fixing bugs like these, but I
am not quite sure how much sense that makes given the fact that NTLM is
deprecated technology.

--
Mike


aw at ice-sa

Mar 29, 2012, 1:59 AM

Post #3 of 9 (2713 views)
Permalink
Re: Minor issue with AuthenNTLM [In reply to]

Michiel Beijen wrote:
> Hi,
>
> IP schreef op 2012-03-27 16:03:
>
>> I've successfuly managed to make AuthenNTLM work with my PHP script,
>> but the for some reason the Apache error log is now flooded with
>> messages like:
>> [error] Bad/Missing NTLM/Basic Authorization Header for
>> /....somefile.php
>
> This is actually reported as a (very old) bug in the RT queue for the
> module:
> https://rt.cpan.org/Public/Bug/Display.html?id=39602
>
> I was considering forking the module and fixing bugs like these, but I
> am not quite sure how much sense that makes given the fact that NTLM is
> deprecated technology.
>
Huh ? Who said that ? To my knowledge, 99% of large corporations use NTLM (Windows Domain
Authentication) as their basic AAA mechanism.


fred at redhotpenguin

Mar 29, 2012, 8:16 PM

Post #4 of 9 (2720 views)
Permalink
Re: Minor issue with AuthenNTLM [In reply to]

> I was considering forking the module and fixing bugs like these, but I
> am not quite sure how much sense that makes given the fact that NTLM is
> deprecated technology.



If you're considering forking it, it may not be deprecated.

I'd suggest trying to release a module to CPAN that resolves your specific issue, but has a slightly different namespace than Apache2::NTLM. Make it clear what your module does that Apache2::NTLM does not. Maybe Apache2::NTLM::OTRS.

If the bug you are running is a blocker for a lot of NTLM users, you should see an increase in the use of your module. This is a very healthy software development process, one that I think GitHub is really doing a great job of executing on.


On Wednesday, March 28, 2012 at 11:18 PM, Michiel Beijen wrote:

> Hi,
>
> IP schreef op 2012-03-27 16:03:
>
> > I've successfuly managed to make AuthenNTLM work with my PHP script,
> > but the for some reason the Apache error log is now flooded with
> > messages like:
> > [error] Bad/Missing NTLM/Basic Authorization Header for
> > /....somefile.php
>
>
>
> This is actually reported as a (very old) bug in the RT queue for the
> module:
> https://rt.cpan.org/Public/Bug/Display.html?id=39602
>
>
>
> --
> Mike


laurent.dami at justice

Mar 29, 2012, 11:56 PM

Post #5 of 9 (2724 views)
Permalink
RE: Minor issue with AuthenNTLM [In reply to]

>-----Message d'origine-----
>De : André Warnier [mailto:aw [at] ice-sa]
>Envoyé : jeudi, 29. mars 2012 11:00
>À : mod_perl list
>Objet : Re: Minor issue with AuthenNTLM
>
>Michiel Beijen wrote:
>> Hi,
>>
>> IP schreef op 2012-03-27 16:03:
>>
>>> I've successfuly managed to make AuthenNTLM work with my PHP script,
>>> but the for some reason the Apache error log is now flooded with
>>> messages like:
>>> [error] Bad/Missing NTLM/Basic Authorization Header for
>>> /....somefile.php
>>
>> This is actually reported as a (very old) bug in the RT queue for the
>> module:
>> https://rt.cpan.org/Public/Bug/Display.html?id=39602
>>
>> I was considering forking the module and fixing bugs like these, but I
>> am not quite sure how much sense that makes given the fact that NTLM is
>> deprecated technology.
>>
>Huh ? Who said that ? To my knowledge, 99% of large corporations use NTLM
>(Windows Domain
>Authentication) as their basic AAA mechanism.
>


If I remember correctly, Apache2::AuthenNTLM only supports NTLMv1, and recent versions of Windows require NTLMv2 by default (but apparently you can force it back to v1 by deploying some policies on the workstations).

About forking the module .. I also considered that option a few years ago; fixing the bug mentioned above would be convenient, and adapting for NTLMv2 would be great ... but I gave up because it seemed very hard to grasp the logic and be able to modify it. The only thing I could come up with was Apache2::AuthenNTLM::Cookie, which keeps the identity in a cookie so that the NTLM handshake occurs only once ... and therefore you have less messages in your Apache log.

Another bug with Apache2::AuthenNTLM is that it uses a semaphore for mutual exclusion; I'm not even sure that this semaphore is really necessary, but anyway sometimes there is a deadlock and requests have to wait for 30 or 40 seconds without reason.

For the future, the way to go is Kerberos; this is what Microsoft is pushing in replacement for NTLM.


michiel.beijen at otrs

Apr 1, 2012, 11:25 AM

Post #6 of 9 (2712 views)
Permalink
Re: Minor issue with AuthenNTLM [In reply to]

Hi André,

On 29-3-2012 10:59, André Warnier wrote:
>> I was considering forking the module and fixing bugs like these, but
>> I am not quite sure how much sense that makes given the fact that
>> NTLM is deprecated technology.
>
> Huh ? Who said that ? To my knowledge, 99% of large corporations use
> NTLM (Windows Domain Authentication) as their basic AAA mechanism.
Well, Microsoft said that:

"Implementers should be aware that NTLM does not support any recent
cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy
check (CRC)
<http://msdn.microsoft.com/en-us/library/780943e9-42e6-4dbe-aa87-1dce828ba82a%28v=prot.10%29#CRC>
or message digest algorithms ([RFC1321]
<http://go.microsoft.com/fwlink/?LinkId=90275>) for integrity, and it
uses RC4 for encryption. Deriving a key
<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081%28v=prot.10%29#key>
from a password is as specified in [RFC1320]
<http://go.microsoft.com/fwlink/?LinkId=90274> and [FIPS46-2]
<http://go.microsoft.com/fwlink/?LinkId=89871>. Therefore, applications
are generally advised not to use NTLM.<74>
<http://msdn.microsoft.com/en-us/library/a211d894-21bc-4b8b-86ba-b83d0c167b00%28v=prot.10%29#id74>"

Ref: http://msdn.microsoft.com/en-us/library/cc236715%28v=PROT.10%29.aspx

So, really, the convenience of Apache2::AuthenNTLM is that it is set up
relatively easy, but it only works well on 'older' infrastructure and it
has the mentioned security implications. Although, on the other hand, if
you use SSL, and if the alternative is authentication with domain
username / password, this is not much different in reality.

Kerberos (or especially mod_auth_kerb) is in my experience a pain to set
up; also, the error messages are very tricky. I found even with the
'definitive guide' on Grolmsnet it was still tedious and difficult to
understand the different error messages. I would *HEART* it if at least
the distros would make setting up mod_auth_kerb a little easier.

BTW I found that if you're on Windows it is actually quite easy to do
Single Sign on with Apache using mod_auth_sspi.
--
Mike


wrowe at rowe-clan

Apr 4, 2012, 12:28 AM

Post #7 of 9 (2697 views)
Permalink
Re: Minor issue with AuthenNTLM [In reply to]

On 3/30/2012 1:56 AM, Dami Laurent (PJ) wrote:
>> -----Message d'origine-----
>> De : André Warnier [mailto:aw [at] ice-sa]
>>>
>>> I was considering forking the module and fixing bugs like these, but I
>>> am not quite sure how much sense that makes given the fact that NTLM is
>>> deprecated technology.
>>>
>> Huh ? Who said that ? To my knowledge, 99% of large corporations use NTLM
>> (Windows Domain
>> Authentication) as their basic AAA mechanism.

Well, NTLM was DoA. It is isn't HTTP compatible (0.9, 1.0 or 1.1). HTTP is stateless, MS
NTLM presumes a stateful connection.

> For the future, the way to go is Kerberos; this is what Microsoft is pushing in replacement for NTLM.

Bingo.


aw at ice-sa

Apr 4, 2012, 12:49 AM

Post #8 of 9 (2692 views)
Permalink
Re: Minor issue with AuthenNTLM [In reply to]

William A. Rowe Jr. wrote:
> On 3/30/2012 1:56 AM, Dami Laurent (PJ) wrote:
>>> -----Message d'origine-----
>>> De : André Warnier [mailto:aw [at] ice-sa]
>>>> I was considering forking the module and fixing bugs like these, but I
>>>> am not quite sure how much sense that makes given the fact that NTLM is
>>>> deprecated technology.
>>>>
>>> Huh ? Who said that ? To my knowledge, 99% of large corporations use NTLM
>>> (Windows Domain
>>> Authentication) as their basic AAA mechanism.
>
> Well, NTLM was DoA. It is isn't HTTP compatible (0.9, 1.0 or 1.1). HTTP is stateless, MS
> NTLM presumes a stateful connection.
>
>> For the future, the way to go is Kerberos; this is what Microsoft is pushing in replacement for NTLM.
>
> Bingo.
>

I agree with all of the above, and NTLM is a p.i.t.a.
Nevertheless, I have quite a few large international companies as customers, and all of
them, today, are still using variations of NTLM. Most of them now NTLMv2 as default, but
many of them still support NTLMv1, for legacy reasons.
In most of them, there is still a significant number of workstations and servers which run
OS versions which do not support anything else, and/or application software ditto.
What MS is pushing is one thing (if anything, they need to sell more new OS licenses);
what customers really do is not necessarily the same.


ip4work at gmail

Apr 4, 2012, 11:51 PM

Post #9 of 9 (2689 views)
Permalink
Re: Minor issue with AuthenNTLM [In reply to]

I would also support the fact that big companies are still using NTLM
for non-critical resources (as a convenience).
This is also my goal here (to protect a non-critical resource).

> For the future, the way to go is Kerberos; this is what Microsoft is pushing in replacement for NTLM.
Any good literature for setting up Linux (with Apache) with Kerberos
for SSO with Windows Clients? %)

ModPerl modperl RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.