NTLM

NTLM is the protocol that Internet Explorer uses to automatically log a user in to a site using the OS login credentials. There are lots of intranet applications that do this within an organization. What’s neat is that it’s not just limited to Internet Explorer and IIS.

First off, FireFox can do NTLM as well. In version 1.0, you need to navigate to about:config and find network.automatic-ntlm-auth.trusted-uris. Give it a value such as a domain (guyton.net) that you trust with your OS login credentials. Multiple hosts can be entered, sep. by commas. After that, automatic logins!

Note that to do this in IE, you need to go to Internet Options – Security – Local Intranet (or Trusted Sites) and add the host substring there (though it might need *.guyton.net or something similar).

OK, so enough about the browsers, what about the back-end servers? Since we like UNIX here, we aren’t gonna touch IIS. Apache 2 is our favorite way to go, and two methods exist:

So far I’ve experimented with the first one, and it seems to work OK. After half a day it seems that the website gets pretty slow in responding, so I suspect a memory leak.

I plan on trying the second one out tomorrow. It seems to support multiple domains and PDCs/BDCs for each, and returns the domain as well as the userid in the REMOTE_USER env var, which I need.

These should theoretically authenticate with samba as well, which can get data from an LDAP server. This is nice because the whole thing can be implemented with FireFox, Samba, Apache, and OpenLDAP, thus completely eliminating reliance on Microsoft products (other than OS login) while still providing single sign-on capabilities.

Share and Enjoy:
  • Print
  • Facebook
  • Twitter
  • PDF

3 Replies to “NTLM”

  1. Apache::AuthenNTLM works like a charm. Multiple domains, fast (due to modPerl), etc.

    Now the only problem is that I’m told our primary domain is switching over to kerberos and will be turning NTLM off soon. Ugh! Will have to see what I can set up there…

  2. I’ve got my Linux server at work authenticating against the active directory kerberos domain. Didn’t even need a host principal. Sweet! Now I don’t have to worry about an extra password on the UNIX box. Still working on the web part – most likely I need a web HTTP principal.

    Now at home I need to figure out how to get Windows XP Home edition working with all this, then get a kerberized ssh client (ssh on fedora already uses kerberos). It would be ideal to get a kerberized VNC session up, too, but that might be wishful thinking without having to pay money…

    1. Cool, I got mod_auth_kerb working on apache at home, this one not needing mod_perl, either. On my linux desktop, if I run kinit and get kerberos credential cache, then konquerer will automatically login to my webserver! (It’s possible that I don’t have to configure any further trust because the machine realm and webserver realm are the same – don’t know about cross-realm workings). If I did not have kinit run, then it asked for a password. Pretty neat!

      I did have a little trouble getting the webserver working right – turns out it was failing because my service principal was http/saturn.guyton.net@GUYTON.NET instead of HTTP/saturn.guyton.net@GUYTON.NET. Huh. Anyway, now that that’s taken care of…

      Firefox was a little more tricky – I had to edit a different setting than NTLM in about:config – this time I set “guyton.net” to the network.negotiate-auth.trusted-uris parameter, and after that, Firefox on Linux did automatic logins as well. Sweet!

      I have not gotten this working on Win XP home with either Firefox or IE. Most likely it won’t work, since XP Home doesn’t really support kerberos by default (so I think). We’ll see if I find anything. Makes a case for a Linux or XP Pro desktop.

Leave a Reply

Your email address will not be published. Required fields are marked *