Unofficial MOD_NTLM Apache Module

This is an unofficial modification to the MOD_NTLM apache module.

There are separate files for v1.3 & v2.0

For details for using this on apache v2.2 see this page:

 http://mywheel.net/blog/index.php/mod_ntlm2-on-apache-22x/

I haven’t tested these modifications, so please leave comments as to your success.

Note: I take no create credit for these modules. All the credit for making the modifications to the official MOD_NTLM module goes to Michael Chai.

What enhancements are there to the official version?

The following enhancements to the module were made (by Michael Chai):

  1. Domain controller access synchronization. Added a lock (file locking in Apache 1.3.x and global mutex for Apache 2.x) that prevents two apache processes accessing the NT domain controllers simultaneously. This fixes a problem that causes IE to throw a dialog box asking for user name and password if it tries to retrieve a HTML page containing multiple images.
  2. Logging enhancement. The log file in /tmp is eliminated and the logs pertaining to NTLM are written to the standard Apache web server log based on the logging level configured in the httpd.conf.
  3. Global variable elimination (for Apache 2.x ONLY). There was a serious flaw in the downloaded SourceForge version. The connection to the domain controller is used as a global variable and it?s periodically destroyed by Apache when the connection to the client times out every 15 seconds (It?s the default KeepAliveTimeout value in httpd.conf). This causes problems if the connection is still used by other threads that are in the middle of handling requests from other clients. The enhancements were made so that the connection to the Domain Controller is now associated with a client connection, not shared as a global variable.
  4. Keep connection alive. In the middle of the NTLM conversation (specifically, after receiving msg1 from client), the Apache server destroys the connection if the number of requests exceeds MaxKeepAliveRequests (normally 100), which results in a dialog box asking for user name and password in the client?s browser. Change is made to keep the connection alive to finish the NTLM conversation.
  5. Multi domain support. Added support for multi-domain users by taking domain name from user’s request instead of from the configuration file.
  6. Active Directory Support. Added support for using AD servers as the primary and secondary domain controllers.
  7. Fix a bug that deals with unicode flag. This solves the problem of only the first character showing in msg1 on Solaris.

Installation

Briefly

Unpack the files to your server then, as root, enter: make install && make restart.

Full instructions

For full installation instruction please see the Official MOD_NTLM website

Useage

There is a sample .conf file in the downloaded .tar.gz which should demonstrate the usage of this module

Subscribe to Email Update Notification