Minor issue with AuthenNTLM

[IP <ip...@gmail.com>]

Hi everyone,

I've successfuly managed to make AuthenNTLM work with my PHP script,
but the for some reason the Apache error log is now flooded with
messages like:
[error] Bad/Missing NTLM/Basic Authorization Header for /....somefile.php

It seems the messages is generated for every single file the browser
tries to read.

>From the NTLM side everything works, user is correctly authenticated,
the problem are only these "mysterious" messages.

If this isn't the right place to ask, please point me in the right direction :)

Any help is appreciated, thanks.

Re: Minor issue with AuthenNTLM

[André Warnier <aw...@ice-sa.com>]

William A. Rowe Jr. wrote:
> On 3/30/2012 1:56 AM, Dami Laurent (PJ) wrote:
>>> -----Message d'origine-----
>>> De : André Warnier [mailto:aw@ice-sa.com]
>>>> I was considering forking the module and fixing bugs like these, but I
>>>> am not quite sure how much sense that makes given the fact that NTLM is
>>>> deprecated technology.
>>>>
>>> Huh ? Who said that ?  To my knowledge, 99% of large corporations use NTLM
>>> (Windows Domain
>>> Authentication) as their basic AAA mechanism.
> 
> Well, NTLM was DoA.  It is isn't HTTP compatible (0.9, 1.0 or 1.1).  HTTP is stateless, MS
> NTLM presumes a stateful connection.
> 
>> For the future, the way to go is Kerberos; this is what Microsoft is pushing in replacement for NTLM. 
> 
> Bingo.
> 

I agree with all of the above, and NTLM is a p.i.t.a.
Nevertheless, I have quite a few large international companies as customers, and all of 
them, today, are still using variations of NTLM.  Most of them now NTLMv2 as default, but 
many of them still support NTLMv1, for legacy reasons.
In most of them, there is still a significant number of workstations and servers which run 
OS versions which do not support anything else, and/or application software ditto.
What MS is pushing is one thing (if anything, they need to sell more new OS licenses); 
what customers really do is not necessarily the same.

Re: Minor issue with AuthenNTLM

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On 3/30/2012 1:56 AM, Dami Laurent (PJ) wrote:
>> -----Message d'origine-----
>> De : André Warnier [mailto:aw@ice-sa.com]
>>>
>>> I was considering forking the module and fixing bugs like these, but I
>>> am not quite sure how much sense that makes given the fact that NTLM is
>>> deprecated technology.
>>>
>> Huh ? Who said that ?  To my knowledge, 99% of large corporations use NTLM
>> (Windows Domain
>> Authentication) as their basic AAA mechanism.

Well, NTLM was DoA.  It is isn't HTTP compatible (0.9, 1.0 or 1.1).  HTTP is stateless, MS
NTLM presumes a stateful connection.

> For the future, the way to go is Kerberos; this is what Microsoft is pushing in replacement for NTLM. 

Bingo.

Re: Minor issue with AuthenNTLM

[IP <ip...@gmail.com>]

I would also support the fact that big companies are still using NTLM
for non-critical resources (as a convenience).
This is also my goal here (to protect a non-critical resource).

> For the future, the way to go is Kerberos; this is what Microsoft is pushing in replacement for NTLM.
Any good literature for setting up Linux (with Apache) with Kerberos
for SSO with Windows Clients? %)

RE: Minor issue with AuthenNTLM

["Dami Laurent (PJ)" <la...@justice.ge.ch>]

>-----Message d'origine-----
>De : André Warnier [mailto:aw@ice-sa.com]
>Envoyé : jeudi, 29. mars 2012 11:00
>À : mod_perl list
>Objet : Re: Minor issue with AuthenNTLM
>
>Michiel Beijen wrote:
>> Hi,
>>
>> IP schreef op 2012-03-27 16:03:
>>
>>> I've successfuly managed to make AuthenNTLM work with my PHP script,
>>> but the for some reason the Apache error log is now flooded with
>>> messages like:
>>> [error] Bad/Missing NTLM/Basic Authorization Header for
>>> /....somefile.php
>>
>> This is actually reported as a (very old) bug in the RT queue for the
>> module:
>> https://rt.cpan.org/Public/Bug/Display.html?id=39602
>>
>> I was considering forking the module and fixing bugs like these, but I
>> am not quite sure how much sense that makes given the fact that NTLM is
>> deprecated technology.
>>
>Huh ? Who said that ?  To my knowledge, 99% of large corporations use NTLM
>(Windows Domain
>Authentication) as their basic AAA mechanism.
>


If I remember correctly, Apache2::AuthenNTLM only supports NTLMv1, and recent versions of Windows require NTLMv2 by default (but apparently you can force it back to v1 by deploying some policies on the workstations).

About forking the module .. I also considered that option a few years ago; fixing the bug mentioned above would be convenient, and adapting for NTLMv2 would be great ... but I gave up because it seemed very hard to grasp the logic and be able to modify it. The only thing I could come up with was Apache2::AuthenNTLM::Cookie, which keeps the identity in a cookie so that the NTLM handshake occurs only once ... and therefore you have less messages in your Apache log.

Another bug with Apache2::AuthenNTLM is that it uses a semaphore for mutual exclusion; I'm not even sure that this semaphore is really necessary, but anyway sometimes there is a deadlock and requests have to wait for 30 or 40 seconds without reason. 

For the future, the way to go is Kerberos; this is what Microsoft is pushing in replacement for NTLM. 

Re: Minor issue with AuthenNTLM

[Michiel Beijen <mi...@otrs.com>]

Hi André,

On 29-3-2012 10:59, André Warnier wrote:
>> I was considering forking the module and fixing bugs like these, but 
>> I am not quite sure how much sense that makes given the fact that 
>> NTLM is deprecated technology.
>
> Huh ? Who said that ?  To my knowledge, 99% of large corporations use 
> NTLM (Windows Domain Authentication) as their basic AAA mechanism.
Well, Microsoft said that:

"Implementers should be aware that NTLM does not support any recent 
cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy 
check (CRC) 
<http://msdn.microsoft.com/en-us/library/780943e9-42e6-4dbe-aa87-1dce828ba82a%28v=prot.10%29#CRC> 
or message digest algorithms ([RFC1321] 
<http://go.microsoft.com/fwlink/?LinkId=90275>) for integrity, and it 
uses RC4 for encryption. Deriving a key 
<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081%28v=prot.10%29#key> 
from a password is as specified in [RFC1320] 
<http://go.microsoft.com/fwlink/?LinkId=90274> and [FIPS46-2] 
<http://go.microsoft.com/fwlink/?LinkId=89871>. Therefore, applications 
are generally advised not to use NTLM.<74> 
<http://msdn.microsoft.com/en-us/library/a211d894-21bc-4b8b-86ba-b83d0c167b00%28v=prot.10%29#id74>"

Ref: http://msdn.microsoft.com/en-us/library/cc236715%28v=PROT.10%29.aspx

So, really, the convenience of Apache2::AuthenNTLM is that it is set up 
relatively easy, but it only works well on 'older' infrastructure and it 
has the mentioned security implications. Although, on the other hand, if 
you use SSL, and if the alternative is authentication with domain 
username / password, this is not much different in reality.

Kerberos (or especially mod_auth_kerb) is in my experience a pain to set 
up; also, the error messages are very tricky. I found even with the 
'definitive guide' on Grolmsnet it was still tedious and difficult to 
understand the different error messages.  I would *HEART* it if at least 
the distros would make setting up mod_auth_kerb a little easier.

BTW I found that if you're on Windows it is actually quite easy to do 
Single Sign on with Apache using mod_auth_sspi.
--
Mike

Re: Minor issue with AuthenNTLM

[André Warnier <aw...@ice-sa.com>]

Michiel Beijen wrote:
> Hi,
> 
> IP schreef op 2012-03-27 16:03:
> 
>> I've successfuly managed to make AuthenNTLM work with my PHP script,
>> but the for some reason the Apache error log is now flooded with
>> messages like:
>> [error] Bad/Missing NTLM/Basic Authorization Header for
>> /....somefile.php
> 
> This is actually reported as a (very old) bug in the RT queue for the 
> module:
> https://rt.cpan.org/Public/Bug/Display.html?id=39602
> 
> I was considering forking the module and fixing bugs like these, but I 
> am not quite sure how much sense that makes given the fact that NTLM is 
> deprecated technology.
> 
Huh ? Who said that ?  To my knowledge, 99% of large corporations use NTLM (Windows Domain 
Authentication) as their basic AAA mechanism.

Re: Minor issue with AuthenNTLM

[Fred Moyer <fr...@redhotpenguin.com>]

> I was considering forking the module and fixing bugs like these, but I
> am not quite sure how much sense that makes given the fact that NTLM is
> deprecated technology.

 

If you're considering forking it, it may not be deprecated.

I'd suggest trying to release a module to CPAN that resolves your specific issue, but has a slightly different namespace than Apache2::NTLM. Make it clear what your module does that Apache2::NTLM does not. Maybe Apache2::NTLM::OTRS.

If the bug you are running is a blocker for a lot of NTLM users, you should see an increase in the use of your module. This is a very healthy software development process, one that I think GitHub is really doing a great job of executing on.


On Wednesday, March 28, 2012 at 11:18 PM, Michiel Beijen wrote:

> Hi,
> 
> IP schreef op 2012-03-27 16:03:
> 
> > I've successfuly managed to make AuthenNTLM work with my PHP script,
> > but the for some reason the Apache error log is now flooded with
> > messages like:
> > [error] Bad/Missing NTLM/Basic Authorization Header for
> > /....somefile.php
> 
> 
> 
> This is actually reported as a (very old) bug in the RT queue for the 
> module:
> https://rt.cpan.org/Public/Bug/Display.html?id=39602
> 
> 
> 
> --
> Mike

Re: Minor issue with AuthenNTLM

[Michiel Beijen <mi...@otrs.com>]

Hi,

IP schreef op 2012-03-27 16:03:

> I've successfuly managed to make AuthenNTLM work with my PHP script,
> but the for some reason the Apache error log is now flooded with
> messages like:
> [error] Bad/Missing NTLM/Basic Authorization Header for
> /....somefile.php

This is actually reported as a (very old) bug in the RT queue for the 
module:
https://rt.cpan.org/Public/Bug/Display.html?id=39602

I was considering forking the module and fixing bugs like these, but I 
am not quite sure how much sense that makes given the fact that NTLM is 
deprecated technology.

--
Mike