perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Green <and...@article7.co.uk>
Subject Apache::AuthenNTLM behind a proxy
Date Mon, 05 Jul 2004 16:12:09 GMT
Hi,

I've got a problem trying to set up Apache::AuthenNTLM to secure the 
administration area for our (mod_perl-based) CMS.

The server setup is as follows:

	* A lightweight port-80 instance of Apache, which deals with
	  all requests for static content, and proxies everything else
	  over to...
	  
	* A mod_perl-centric, port-8080 instance of Apache, which
	  deals with all the dynamic, mod_perl-generated content

I've setup the authentication on the administration area in the 
httpd.conf file for the backend, port-8080 server to use AuthenNTLM.  
When I access a test script directly on the port:8080 server, the 
authentication works a dream.  This seems to confirm, to me, that the 
settings are basically correct.

However, when I try to access the authenticated area through the 
frontend, port-80 server, the authentication doesn't work.  The client  
gets a variation on the "little grey box" of Basic Authentication, this 
time with a "domain" field added.  Entering details into the box only 
brings the box back, however.

KeepAlive is on for both Apaches.  I've enabled "PerlSetVar ntlmdebug 
2", and the output for each situation is below.  I've asterisked out 
anything that I think might be unwise to post on a public forum; if it 
turns out that some of that is needed to figure out what's going on, 
I'll be glad to revise that heuristic!

Firstly, the direct attempt (which worked):

[14925] AuthenNTLM: Config Domain = domain1  pdc = ****  bdc = ****
[14925] AuthenNTLM: Config Default Domain = domain1
[14925] AuthenNTLM: Config Fallback Domain = 
[14925] AuthenNTLM: Config AuthType = ntlm AuthName = CMS NTLM 
Authentication Test
[14925] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[14925] AuthenNTLM: Config NTLMAuthoritative = on  BasicAuthoritative = 
on
[14925] AuthenNTLM: Config Semaphore key = 23754 timeout = 2
[14925] AuthenNTLM: Authorization Header <not given>
[Mon Jul  5 15:03:23 2004] [error] access to /res/env.cgi failed for  , 
reason: Bad/Missing NTLM/Basic Authorization Header for /res/env.cgi
[14925] AuthenNTLM: Start NTLM Authen handler pid = 14925, connection = 
156590692 conn_http_hdr = Keep-Alive  main =  cuser =  remote_ip = **** 
remote_port = **** remote_host = < > version = 0.23
[14925] AuthenNTLM: Object exists user = \
[14925] AuthenNTLM: Authorization Header NTLM 
TlRMTVNTUAABAAAAB7IAoAcABwAoAAAACAAIACAAAABXQkMtVFMtMURPTUFJTjE=
[14925] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 178 0 160 7 0 
7 0 40 0 0 0 8 0 8 0 32 0 0 0 87 66 67 45 84 83 45 49 68 79 77 65 73 78 
49
[14925] AuthenNTLM: protocol=NTLMSSP, type=1, 
flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET), 
flags2=178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=7, 
domain offset=40, host length=8, host offset=32, host=WBC-TS-1, 
domain=DOMAIN1
[14925] AuthenNTLM: Connect to pdc = **** bdc = **** domain = domain1
[14925] AuthenNTLM: timed out while waiting for lock (key = 23754)
[14925] AuthenNTLM: leave lock
[14925] AuthenNTLM: Send: 78 84 76 77 83 83 80 0 2 0 0 0 0 0 0 0 40 0 0 
0 1 130 0 0 216 117 139 24 181 48 159 61 0 0 0 0 0 0 0 0
[14925] AuthenNTLM: charencoding = 1
[14925] AuthenNTLM: flags2 = 130
[14925] AuthenNTLM: nonce=Øuµ0=
[14925] AuthenNTLM: Send header: NTLM 
TlRMTVNTUAACAAAAAAAAACgAAAABggAA2HWLGLUwnz0AAAAAAAAAAA==
[14925] AuthenNTLM: Start NTLM Authen handler pid = 14925, connection = 
156590692 conn_http_hdr = Keep-Alive  main =  cuser =  remote_ip = **** 
remote_port = **** remote_host = < > version = 0.23
[14925] AuthenNTLM: Object exists user = \
[14925] AuthenNTLM: Authorization Header NTLM 
TlRMTVNTUAADAAAAGAAYAG4AAAAYABgAhgAAAA4ADgBAAAAAEAAQAE4AAAAQABAAXgAAAAAAAACeAAAABYIAAEQATwBNAEEASQBOADEAYQByAHQAaQBjAGwAZQA3AFcAQgBDAC0AVABTAC0AMQBDF+KMFTHlqAmWaSgr17JBJVr6fpDj9dGBGDYhHPRVxYNQsYcPvPYUSpQoEYrg0T8=
[14925] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 3 0 0 0 24 0 24 0 110 0 
0 0 24 0 24 0 134 0 0 0 14 0 14 0 64 0 0 0 16 0 16 0 78 0 0 0 16 0 16 0 
94 0 0 0 0 0 0 0 158 0 0 0 5 130 0 0 68 0 79 0 77 0 65 0 73 0 78 0 49 0 
97 0 114 0 116 0 105 0 99 0 108 0 101 0 55 0 87 0 66 0 67 0 45 0 84 0 
83 0 45 0 49 0 67 23 226 140 21 49 229 168 9 150 105 40 43 215 178 65 
37 90 250 126 144 227 245 209 129 24 54 33 28 244 85 197 131 80 177 135 
15 188 246 20 74 148 40 17 138 224 209 63
[14925] AuthenNTLM: protocol=NTLMSSP, type=3, user=****, host=****, 
domain=DOMAIN1, msg_len=0
[14925] AuthenNTLM: Verify user **** via smb server
[14925] AuthenNTLM: OK pid = 14925, connection = 156590692 cuser = **** 
ip = ****


Next, the attempt via the port-80 Apache proxy.  The following is taken 
from the port-8080 error log, so at least some of the data is being 
proxied properly.

[14927] AuthenNTLM: Config Domain = domain1  pdc = ****  bdc = ****
[14927] AuthenNTLM: Config Default Domain = domain1
[14927] AuthenNTLM: Config Fallback Domain = 
[14927] AuthenNTLM: Config AuthType = ntlm AuthName = CMS NTLM 
Authentication Test
[14927] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[14927] AuthenNTLM: Config NTLMAuthoritative = on  BasicAuthoritative = 
on
[14927] AuthenNTLM: Config Semaphore key = 23754 timeout = 2
[14927] AuthenNTLM: Authorization Header <not given>
[Mon Jul  5 15:04:48 2004] [error] access to /res/env.cgi failed for  , 
reason: Bad/Missing NTLM/Basic Authorization Header for /res/env.cgi
[14928] AuthenNTLM: Config Domain = domain1  pdc = ****  bdc = ****
[14928] AuthenNTLM: Config Default Domain = domain1
[14928] AuthenNTLM: Config Fallback Domain = 
[14928] AuthenNTLM: Config AuthType = ntlm AuthName = CMS NTLM 
Authentication Test
[14928] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[14928] AuthenNTLM: Config NTLMAuthoritative = on  BasicAuthoritative = 
on
[14928] AuthenNTLM: Config Semaphore key = 23754 timeout = 2
[14928] AuthenNTLM: Authorization Header NTLM 
TlRMTVNTUAABAAAAB7IAoAcABwAoAAAACAAIACAAAABXQkMtVFMtMURPTUFJTjE=
[14928] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 178 0 160 7 0 
7 0 40 0 0 0 8 0 8 0 32 0 0 0 87 66 67 45 84 83 45 49 68 79 77 65 73 78 
49
[14928] AuthenNTLM: protocol=NTLMSSP, type=1, 
flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET), 
flags2=178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=7, 
domain offset=40, host length=8, host offset=32, host=****, 
domain=DOMAIN1
[14928] AuthenNTLM: Connect to pdc = **** bdc = **** domain = domain1
[14928] AuthenNTLM: timed out while waiting for lock (key = 23754)
[14928] AuthenNTLM: leave lock
[14928] AuthenNTLM: Send: 78 84 76 77 83 83 80 0 2 0 0 0 0 0 0 0 40 0 0 
0 1 130 0 0 237 54 160 59 210 45 73 31 0 0 0 0 0 0 0 0
[14928] AuthenNTLM: charencoding = 1
[14928] AuthenNTLM: flags2 = 130
[14928] AuthenNTLM: nonce=í6 ;Ò-I
[14928] AuthenNTLM: Send header: NTLM 
TlRMTVNTUAACAAAAAAAAACgAAAABggAA7TagO9ItSR8AAAAAAAAAAA==
[14931] AuthenNTLM: Config Domain = domain1  pdc = ****  bdc = ****
[14931] AuthenNTLM: Config Default Domain = domain1
[14931] AuthenNTLM: Config Fallback Domain = 
[14931] AuthenNTLM: Config AuthType = ntlm AuthName = CMS NTLM 
Authentication Test
[14931] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[14931] AuthenNTLM: Config NTLMAuthoritative = on  BasicAuthoritative = 
on
[14931] AuthenNTLM: Config Semaphore key = 23754 timeout = 2
[14931] AuthenNTLM: Authorization Header NTLM 
TlRMTVNTUAADAAAAGAAYAG4AAAAYABgAhgAAAA4ADgBAAAAAEAAQAE4AAAAQABAAXgAAAAAAAACeAAAABYIAAEQATwBNAEEASQBOADEAYQByAHQAaQBjAGwAZQA3AFcAQgBDAC0AVABTAC0AMQBiv3n6p8JPs2uUTnt8MF2EP4hRjEh2tCiqD+KoKwflU3uqx/pgoASpny765wJy6Hp=
[14931] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 3 0 0 0 24 0 24 0 110 0 
0 0 24 0 24 0 134 0 0 0 14 0 14 0 64 0 0 0 16 0 16 0 78 0 0 0 16 0 16 0 
94 0 0 0 0 0 0 0 158 0 0 0 5 130 0 0 68 0 79 0 77 0 65 0 73 0 78 0 49 0 
97 0 114 0 116 0 105 0 99 0 108 0 101 0 55 0 87 0 66 0 67 0 45 0 84 0 
83 0 45 0 49 0 98 191 121 250 167 194 79 179 107 148 78 123 124 48 93 
132 63 136 81 140 72 118 180 40 170 15 226 168 43 7 229 83 123 170 199 
250 96 160 4 169 159 46 250 231 2 114 232 122
[14931] AuthenNTLM: protocol=NTLMSSP, type=3, user=****, host=****, 
domain=DOMAIN1, msg_len=0
[Mon Jul  5 15:04:50 2004] [error] access to /res/env.cgi failed for  , 
reason: SMB Server connection not open in state 3 for /res/env.cgi


Any ideas would be very much appreciated.

Cheers,
Andrew.
-- 
                   ::
      article seven       Andrew Green
 automatic internet       andrew@article7.co.uk | www.article7.co.uk

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html


Mime
View raw message