Return-Path: Delivered-To: apmail-perl-modperl-archive@www.apache.org Received: (qmail 82444 invoked from network); 5 Jul 2004 16:12:36 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 5 Jul 2004 16:12:36 -0000 Received: (qmail 71303 invoked by uid 500); 5 Jul 2004 16:12:21 -0000 Delivered-To: apmail-perl-modperl-archive@perl.apache.org Received: (qmail 71283 invoked by uid 500); 5 Jul 2004 16:12:20 -0000 Mailing-List: contact modperl-help@perl.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Delivered-To: mailing list modperl@perl.apache.org Received: (qmail 71269 invoked by uid 99); 5 Jul 2004 16:12:20 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=FORGED_RCVD_HELO X-Spam-Check-By: apache.org Date: Mon, 5 Jul 2004 17:12:09 +0100 From: Andrew Green To: modperl@perl.apache.org Message-ID: <20040705171209081059.GyazMail.andrew@article7.co.uk> Subject: Apache::AuthenNTLM behind a proxy Mime-Version: 1.0 (GMessage framework 1.2.2) Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Organization: Article Seven X-Mailer: GyazMail version 1.2.2.1 X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Hi, I've got a problem trying to set up Apache::AuthenNTLM to secure the=20 administration area for our (mod_perl-based) CMS. The server setup is as follows: =09* A lightweight port-80 instance of Apache, which deals with =09 all requests for static content, and proxies everything else =09 over to... =09 =20 =09* A mod_perl-centric, port-8080 instance of Apache, which =09 deals with all the dynamic, mod_perl-generated content I've setup the authentication on the administration area in the=20 httpd.conf file for the backend, port-8080 server to use AuthenNTLM. =20 When I access a test script directly on the port:8080 server, the=20 authentication works a dream. This seems to confirm, to me, that the=20 settings are basically correct. However, when I try to access the authenticated area through the=20 frontend, port-80 server, the authentication doesn't work. The client =20 gets a variation on the "little grey box" of Basic Authentication, this=20 time with a "domain" field added. Entering details into the box only=20 brings the box back, however. KeepAlive is on for both Apaches. I've enabled "PerlSetVar ntlmdebug=20 2", and the output for each situation is below. I've asterisked out=20 anything that I think might be unwise to post on a public forum; if it=20 turns out that some of that is needed to figure out what's going on,=20 I'll be glad to revise that heuristic! Firstly, the direct attempt (which worked): [14925] AuthenNTLM: Config Domain =3D domain1 pdc =3D **** bdc =3D **** [14925] AuthenNTLM: Config Default Domain =3D domain1 [14925] AuthenNTLM: Config Fallback Domain =3D=20 [14925] AuthenNTLM: Config AuthType =3D ntlm AuthName =3D CMS NTLM=20 Authentication Test [14925] AuthenNTLM: Config Auth NTLM =3D 1 Auth Basic =3D 0 [14925] AuthenNTLM: Config NTLMAuthoritative =3D on BasicAuthoritative =3D= =20 on [14925] AuthenNTLM: Config Semaphore key =3D 23754 timeout =3D 2 [14925] AuthenNTLM: Authorization Header [Mon Jul 5 15:03:23 2004] [error] access to /res/env.cgi failed for ,=20 reason: Bad/Missing NTLM/Basic Authorization Header for /res/env.cgi [14925] AuthenNTLM: Start NTLM Authen handler pid =3D 14925, connection =3D= =20 156590692 conn_http_hdr =3D Keep-Alive main =3D cuser =3D remote_ip =3D = ****=20 remote_port =3D **** remote_host =3D < > version =3D 0.23 [14925] AuthenNTLM: Object exists user =3D \ [14925] AuthenNTLM: Authorization Header NTLM=20 TlRMTVNTUAABAAAAB7IAoAcABwAoAAAACAAIACAAAABXQkMtVFMtMURPTUFJTjE=3D [14925] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 178 0 160 7 0=20 7 0 40 0 0 0 8 0 8 0 32 0 0 0 87 66 67 45 84 83 45 49 68 79 77 65 73 78=20 49 [14925] AuthenNTLM: protocol=3DNTLMSSP, type=3D1,=20 flags1=3D7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET),=20 flags2=3D178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=3D7,=20 domain offset=3D40, host length=3D8, host offset=3D32, host=3DWBC-TS-1,=20 domain=3DDOMAIN1 [14925] AuthenNTLM: Connect to pdc =3D **** bdc =3D **** domain =3D domain1 [14925] AuthenNTLM: timed out while waiting for lock (key =3D 23754) [14925] AuthenNTLM: leave lock [14925] AuthenNTLM: Send: 78 84 76 77 83 83 80 0 2 0 0 0 0 0 0 0 40 0 0=20 0 1 130 0 0 216 117 139 24 181 48 159 61 0 0 0 0 0 0 0 0 [14925] AuthenNTLM: charencoding =3D 1 [14925] AuthenNTLM: flags2 =3D 130 [14925] AuthenNTLM: nonce=3D=D8u=B50=3D [14925] AuthenNTLM: Send header: NTLM=20 TlRMTVNTUAACAAAAAAAAACgAAAABggAA2HWLGLUwnz0AAAAAAAAAAA=3D=3D [14925] AuthenNTLM: Start NTLM Authen handler pid =3D 14925, connection =3D= =20 156590692 conn_http_hdr =3D Keep-Alive main =3D cuser =3D remote_ip =3D = ****=20 remote_port =3D **** remote_host =3D < > version =3D 0.23 [14925] AuthenNTLM: Object exists user =3D \ [14925] AuthenNTLM: Authorization Header NTLM=20 TlRMTVNTUAADAAAAGAAYAG4AAAAYABgAhgAAAA4ADgBAAAAAEAAQAE4AAAAQABAAXgAAAAAAAAC= eAAAABYIAAEQATwBNAEEASQBOADEAYQByAHQAaQBjAGwAZQA3AFcAQgBDAC0AVABTAC0AMQBDF+= KMFTHlqAmWaSgr17JBJVr6fpDj9dGBGDYhHPRVxYNQsYcPvPYUSpQoEYrg0T8=3D [14925] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 3 0 0 0 24 0 24 0 110 0=20 0 0 24 0 24 0 134 0 0 0 14 0 14 0 64 0 0 0 16 0 16 0 78 0 0 0 16 0 16 0=20 94 0 0 0 0 0 0 0 158 0 0 0 5 130 0 0 68 0 79 0 77 0 65 0 73 0 78 0 49 0=20 97 0 114 0 116 0 105 0 99 0 108 0 101 0 55 0 87 0 66 0 67 0 45 0 84 0=20 83 0 45 0 49 0 67 23 226 140 21 49 229 168 9 150 105 40 43 215 178 65=20 37 90 250 126 144 227 245 209 129 24 54 33 28 244 85 197 131 80 177 135=20 15 188 246 20 74 148 40 17 138 224 209 63 [14925] AuthenNTLM: protocol=3DNTLMSSP, type=3D3, user=3D****, host=3D****,= =20 domain=3DDOMAIN1, msg_len=3D0 [14925] AuthenNTLM: Verify user **** via smb server [14925] AuthenNTLM: OK pid =3D 14925, connection =3D 156590692 cuser =3D **= **=20 ip =3D **** Next, the attempt via the port-80 Apache proxy. The following is taken=20 from the port-8080 error log, so at least some of the data is being=20 proxied properly. [14927] AuthenNTLM: Config Domain =3D domain1 pdc =3D **** bdc =3D **** [14927] AuthenNTLM: Config Default Domain =3D domain1 [14927] AuthenNTLM: Config Fallback Domain =3D=20 [14927] AuthenNTLM: Config AuthType =3D ntlm AuthName =3D CMS NTLM=20 Authentication Test [14927] AuthenNTLM: Config Auth NTLM =3D 1 Auth Basic =3D 0 [14927] AuthenNTLM: Config NTLMAuthoritative =3D on BasicAuthoritative =3D= =20 on [14927] AuthenNTLM: Config Semaphore key =3D 23754 timeout =3D 2 [14927] AuthenNTLM: Authorization Header [Mon Jul 5 15:04:48 2004] [error] access to /res/env.cgi failed for ,=20 reason: Bad/Missing NTLM/Basic Authorization Header for /res/env.cgi [14928] AuthenNTLM: Config Domain =3D domain1 pdc =3D **** bdc =3D **** [14928] AuthenNTLM: Config Default Domain =3D domain1 [14928] AuthenNTLM: Config Fallback Domain =3D=20 [14928] AuthenNTLM: Config AuthType =3D ntlm AuthName =3D CMS NTLM=20 Authentication Test [14928] AuthenNTLM: Config Auth NTLM =3D 1 Auth Basic =3D 0 [14928] AuthenNTLM: Config NTLMAuthoritative =3D on BasicAuthoritative =3D= =20 on [14928] AuthenNTLM: Config Semaphore key =3D 23754 timeout =3D 2 [14928] AuthenNTLM: Authorization Header NTLM=20 TlRMTVNTUAABAAAAB7IAoAcABwAoAAAACAAIACAAAABXQkMtVFMtMURPTUFJTjE=3D [14928] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 178 0 160 7 0=20 7 0 40 0 0 0 8 0 8 0 32 0 0 0 87 66 67 45 84 83 45 49 68 79 77 65 73 78=20 49 [14928] AuthenNTLM: protocol=3DNTLMSSP, type=3D1,=20 flags1=3D7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET),=20 flags2=3D178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=3D7,=20 domain offset=3D40, host length=3D8, host offset=3D32, host=3D****,=20 domain=3DDOMAIN1 [14928] AuthenNTLM: Connect to pdc =3D **** bdc =3D **** domain =3D domain1 [14928] AuthenNTLM: timed out while waiting for lock (key =3D 23754) [14928] AuthenNTLM: leave lock [14928] AuthenNTLM: Send: 78 84 76 77 83 83 80 0 2 0 0 0 0 0 0 0 40 0 0=20 0 1 130 0 0 237 54 160 59 210 45 73 31 0 0 0 0 0 0 0 0 [14928] AuthenNTLM: charencoding =3D 1 [14928] AuthenNTLM: flags2 =3D 130 [14928] AuthenNTLM: nonce=3D=ED6=A0;=D2-I [14928] AuthenNTLM: Send header: NTLM=20 TlRMTVNTUAACAAAAAAAAACgAAAABggAA7TagO9ItSR8AAAAAAAAAAA=3D=3D [14931] AuthenNTLM: Config Domain =3D domain1 pdc =3D **** bdc =3D **** [14931] AuthenNTLM: Config Default Domain =3D domain1 [14931] AuthenNTLM: Config Fallback Domain =3D=20 [14931] AuthenNTLM: Config AuthType =3D ntlm AuthName =3D CMS NTLM=20 Authentication Test [14931] AuthenNTLM: Config Auth NTLM =3D 1 Auth Basic =3D 0 [14931] AuthenNTLM: Config NTLMAuthoritative =3D on BasicAuthoritative =3D= =20 on [14931] AuthenNTLM: Config Semaphore key =3D 23754 timeout =3D 2 [14931] AuthenNTLM: Authorization Header NTLM=20 TlRMTVNTUAADAAAAGAAYAG4AAAAYABgAhgAAAA4ADgBAAAAAEAAQAE4AAAAQABAAXgAAAAAAAAC= eAAAABYIAAEQATwBNAEEASQBOADEAYQByAHQAaQBjAGwAZQA3AFcAQgBDAC0AVABTAC0AMQBiv3= n6p8JPs2uUTnt8MF2EP4hRjEh2tCiqD+KoKwflU3uqx/pgoASpny765wJy6Hp=3D [14931] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 3 0 0 0 24 0 24 0 110 0=20 0 0 24 0 24 0 134 0 0 0 14 0 14 0 64 0 0 0 16 0 16 0 78 0 0 0 16 0 16 0=20 94 0 0 0 0 0 0 0 158 0 0 0 5 130 0 0 68 0 79 0 77 0 65 0 73 0 78 0 49 0=20 97 0 114 0 116 0 105 0 99 0 108 0 101 0 55 0 87 0 66 0 67 0 45 0 84 0=20 83 0 45 0 49 0 98 191 121 250 167 194 79 179 107 148 78 123 124 48 93=20 132 63 136 81 140 72 118 180 40 170 15 226 168 43 7 229 83 123 170 199=20 250 96 160 4 169 159 46 250 231 2 114 232 122 [14931] AuthenNTLM: protocol=3DNTLMSSP, type=3D3, user=3D****, host=3D****,= =20 domain=3DDOMAIN1, msg_len=3D0 [Mon Jul 5 15:04:50 2004] [error] access to /res/env.cgi failed for ,=20 reason: SMB Server connection not open in state 3 for /res/env.cgi Any ideas would be very much appreciated. Cheers, Andrew. --=20 :: article seven Andrew Green automatic internet andrew@article7.co.uk | www.article7.co.uk -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html