Link to home
Start Free TrialLog in
Avatar of jfamoussou
jfamoussou

asked on

ntlm authentification problem in ie6 with apache 2 on linux sarge

hello,

I need to authenticate my windows 2000 domain users on our web server. this server is configured with apache 2.0.54 on debian sarge.
I used the Apache2::AuthenNTLM perl module, because the mod_auth_ntlm  doesn't work.
I think i installed and configured successfully, but th authentication doesn't work with msie6.
When i try to test with firefox, i have the login/password prompt and after put the right  login/password it's work.
i test too, with the wfetch.exe windows utility, it's work too.
But when  i use ie6, first i haven't the login/password prompt and i have the "The Page Cannot Be Displayed" error page.
I think i missed something, but i don't know what.

could you help me, please?

regards
<Location "/" >
                Order Deny,Allow
                Allow from all
                PerlAuthenHandler Apache2::AuthenNTLM
                PerlAddVar ntdomain "boursorama bsrsvdctest"
                PerlSetVar splitdomainprefix 1
                PerlSetVar ntlmdebug 2
                PerlSetVar ntlmauthoritative on
                PerlSetVar defaultdomain boursorama
                PerlSetVar ntlmsemtimeout 10
                AuthType ntlm,basic
                AuthName "Private Area"
                require valid-user
</Location>

Open in new window

Avatar of Adam314
Adam314
Do you have keepalive turned off?  If so, that is the problem... you'll have to turn keepalive on, and restart apache.

If you have keepalive on, what info is in the log?
Avatar of jfamoussou
jfamoussou

ASKER

thanks for you reply, but i already set keepalive to on. I attached the apache.conf and the virtual host conf.
below you can see the apache  info log.
thanks for your help

[Tue Feb 05 15:03:35 2008] [info] Connection to child 13 established (server pfrweb001.boursorama.fr:443, client 10.3.245.39)
[Tue Feb 05 15:03:35 2008] [info] Seeding PRNG with 136 bytes of entropy
[15583] AuthenNTLM: Start NTLM Authen handler pid = 15583, connection = 138988768 conn_http_hdr = Keep-Alive  main =  cuser =  remote_ip = 10.3.245.39 remote_port = 13365 remote_host = <> version = 0.02 smbhandle = 
[15583] AuthenNTLM: Setup new object
[15583] AuthenNTLM: Config Domain = boursorama  pdc = bsrsvdctest  bdc = 
[15583] AuthenNTLM: Config Default Domain = boursorama
[15583] AuthenNTLM: Config Fallback Domain = 
[15583] AuthenNTLM: Config AuthType = ntlm,basic AuthName = Private Area
[15583] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 1
[15583] AuthenNTLM: Config NTLMAuthoritative = on  BasicAuthoritative = on
[15583] AuthenNTLM: Config Semaphore key = 23754 timeout = 10
[15583] AuthenNTLM: Config SplitDomainPrefix = 1
[15583] AuthenNTLM: Authorization Header <not given>
[Tue Feb 05 15:03:35 2008] [error] Bad/Missing NTLM/Basic Authorization Header for /Accueil/
[Tue Feb 05 15:03:35 2008] [info] Connection to child 13 closed with standard shutdown(server pfrweb001.boursorama.fr:443, client 10.3.245.39)
[Tue Feb 05 15:03:35 2008] [info] Connection to child 76 established (server pfrweb001.boursorama.fr:443, client 10.3.245.39)
[Tue Feb 05 15:03:35 2008] [info] Seeding PRNG with 136 bytes of entropy
[15585] AuthenNTLM: Start NTLM Authen handler pid = 15585, connection = 140148040 conn_http_hdr = Keep-Alive  main =  cuser =  remote_ip = 10.3.245.39 remote_port = 13365 remote_host = <> version = 0.02 smbhandle = 
[15585] AuthenNTLM: Setup new object
[15585] AuthenNTLM: Config Domain = boursorama  pdc = bsrsvdctest  bdc = 
[15585] AuthenNTLM: Config Default Domain = boursorama
[15585] AuthenNTLM: Config Fallback Domain = 
[15585] AuthenNTLM: Config AuthType = ntlm,basic AuthName = Private Area
[15585] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 1
[15585] AuthenNTLM: Config NTLMAuthoritative = on  BasicAuthoritative = on
[15585] AuthenNTLM: Config Semaphore key = 23754 timeout = 10
[15585] AuthenNTLM: Config SplitDomainPrefix = 1
[15585] AuthenNTLM: Authorization Header NTLM TlRMTVNTUAABAAAAB7IAoAoACgAnAAAABwAHACAAAABCU1JXNDg1Qk9VUlNPUkFNQT==
[15585] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 178 0 160 10 0 10 0 39 0 0 0 7 0 7 0 32 0 0 0 66 83 82 87 52 56 53 66 79 85 82 83 79 82 65 77 65
[15585] AuthenNTLM: protocol=NTLMSSP, type=1, flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET), flags2=178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=10, domain offset=39, host length=7, host offset=32, host=BSRW485, domain=BOURSORAMA
[15585] handler type == 1 
[15585] AuthenNTLM: Connect to pdc = bsrsvdctest bdc =  domain = boursorama
[15585] AuthenNTLM: enter lock
[15585] AuthenNTLM: verify handle  smbhandle == 139124400 
[15585] AuthenNTLM: Send: 78 84 76 77 83 83 80 0 2 0 0 0 0 0 0 0 40 0 0 0 1 130 0 0 76 164 241 15 146 119 126 52 0 0 0 0 0 0 0 0
[15585] AuthenNTLM: charencoding = 1
[15585] AuthenNTLM: flags2 = 130
[15585] AuthenNTLM: nonce=L¤ñw~4
[15585] AuthenNTLM: Send header: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAATKTxD5J3fjQAAAAAAAAAAA==
[15585] AuthenNTLM: verify handle = 1 smbhandle == 139124400 
[Tue Feb 05 15:03:35 2008] [info] Connection to child 76 closed with standard shutdown(server pfrweb001.boursorama.fr:443, client 10.3.245.39)
[Tue Feb 05 15:03:35 2008] [info] Connection to child 14 established (server pfrweb001.boursorama.fr:443, client 10.2.53.252)
[Tue Feb 05 15:03:35 2008] [info] Seeding PRNG with 136 bytes of entropy

Open in new window

apache2.conf.txt
crm.txt
Avatar of jfamoussou
jfamoussou

ASKER

I add the wfetch log, maybe it can help.
started....
Reusing existing connection (source port 1989)\n
SEC_I_CONTINUE_NEEDED - InitializeSecurityContext\n
REQUEST: **************\n
GET / HTTP/1.1\r\n
Host: pfrweb001\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM TlRMTVNTUAABAAAAl4II4AAAAAAAAAAAAAAAAAAAAAA=\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 200 OK\r\n
Date: Tue, 05 Feb 2008 15:16:13 GMT\r\n
Server: Apache/2.0.54 (Debian GNU/Linux) mod_auth_kerb/5.0-rc6 mod_ssl/2.0.54 OpenSSL/0.9.7e mod_jk/1.2.19 mod_perl/2.0.2 Perl/v5.8.4\r\n
Last-Modified: Fri, 20 Jan 2006 11:26:48 GMT\r\n
ETag: "129148-9d4-8e8a2e00"\r\n
Accept-Ranges: bytes\r\n
Content-Length: 2516\r\n
Keep-Alive: timeout=180\r\n
Connection: Keep-Alive\r\n
Content-Type: text/html\r\n
\r\n
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"\n
"http://www.w3.org/TR/html4/loose.dtd">\n
<html>\n
\t<head>\n
\t\t<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">\n
\t\t<title>Boursorama CRM</title>\n
\t\t\n
\t\t<link rel="stylesheet" type="text/css" href="feuille.css">\n
\t</head>\n
\t<body>\n
<!-- Debut bandeau -->\n
<form name="" action="" method="">\n
<input type="hidden" name="typeAction" value=""/> \n
\t<div class="barreTitre">\n
\t\t<table cellpadding="0" cellspacing="0" width="100%">\n
\t\t\t<tr>\n
\t\t\t\t<td rowspan="2" width="15%"><a href="/"><img src="logoBanque.gif"></a></td>\n
\t\t\t\t<td rowspan="2" width="52%" valign="top">\n
\t\t\t\t<!-- D}but menu -->\n
\t\t\t\t\t<div id="menu">\n
\t\t\t\t\t\t<dl>\n
\t\t\t\t\t\t\t  <dt onmouseover=""><a href="/boursorama-crm-web/"><b>CRM</b></a></dt>\n
\t\t\t\t\t\t\t  \t<dd id="smenu1" onmouseover="" onmouseout= "">\n
\t\t\t\t\t\t\t\t\t<ul>\n
\t\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t\t</ul>\n
\t\t\t\t\t\t\t\t</dd>\n
\t\t\t\t\t\t</dl>\n
\t\t\t\t\t\t<dl>\n
\t\t\t\t\t\t\t  <dt onmouseover=""><a href="/risk/"><b>RISK</b></a></dt>\n
\t\t\t\t\t\t\t  \t<dd id="smenu2" onmouseover="" onmouseout= "">\n
\t\t\t\t\t\t\t\t\t<ul>\n
\t\t\t\t\t\t\t\t\t  \t\t\t\t\t\t\t\n
\t\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t\t</ul>\n
\t\t\t\t\t\t\t\t</dd>\n
\t\t\t\t\t\t</dl>\n
\t\t\t\t\t\t<dl>\n
\t\t\t\t\t\t\t  <dt onmouseover=""><a href="/gdesktop/"><b>CTI</b></a></dt>\n
\t\t\t\t\t\t\t  <dd id="smenu3" onmouseover="" onmouseout= "">\n
\t\t\t\t\t\t\t\t<ul>\n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t</ul>\n
\t\t\t\t\t\t\t  </dd>\n
\t\t\t\t\t\t</dl>\n
\t\t\t\t\t\t<dl>\n
\t\t\t\t\t\t\t  <dt onmouseover=""><a href="https://directory/"><b>Annuaire</b></a></dt>\n
\t\t\t\t\t\t\t  <dd id="smenu4" onmouseover="" onmouseout= "">\n
\t\t\t\t\t\t\t\t<ul>\n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t</ul>\n
\t\t\t\t\t\t\t  </dd>\n
\t\t\t\t\t\t</dl>\n
\t\t\t\t\t\t<dl>\n
\t\t\t\t\t\t\t  <dt onmouseover=""><a href="https://intranet/webmail/"><b>WebMail</b></a></dt>\n
\t\t\t\t\t\t\t  <dd id="smenu5" onmouseover="" onmouseout= "">\n
\t\t\t\t\t\t\t\t<ul>\n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t</ul>\n
\t\t\t\t\t\t\t  </dd>\n
\t\t\t\t\t\t</dl>\n
\t\t\t\t  </div>\n
\t\t\t\t  <!-- fin menu -->\n
\t\t\t\t</td>\n
\t\t\t\t<td width="29%" align="right" valign="top">Aller &agrave;:\n
\t\t\t      <input name="" type="text">\n
\t\t\t      <input type="submit" name="" value="Ok">\n
\t\t\t  </td>\n
\t\t\t</tr>\n
\t\t\t<tr>\n
\t\t\t\t<td align="right"></td>\n
\t\t\t</tr>\n
\t\t</table>\n
</div>\n
</form>\n
\n
<!-- fin bandeau -->\n
<!-- D}but contenu de la page -->\n
\n
<div class="principale">\n
    </td>\n
    </tr>\n
    </table>\n
    <table width="99%" border=0 cellpadding="0" cellspacing="0">\n
      <tr height="500" valign="center">\n
        <td align="center" height="100%"><H1>Boursorama</H1></td>\n
      </tr>\n
    </table>\n
</div>\n
\n
\n
\n
\n
<!-- fin contenu de la page-->\n
</body>\n
</html>\n
finished.

Open in new window

Avatar of Adam314
Adam314
In your internet options, do you have "Enable integrated windows authentication" turned on?  (From IE: select internet options, go to the advanced tab, look for the option in the list).  If on, try with it off... if off, try with it on.
Avatar of jfamoussou
jfamoussou

ASKER

it was turned off. I try with it on , but i always have the "The Page Cannot Be Displayed". And try to put the site in the "intranet local" and it's the same problem.
I tested whith ie 7, when i disabled "Enable integrated windows authentication" option i have the login/password prompt, but when i put the login and password, i have the same error.
I don't understand, why it doesn't work with msie.
Avatar of Adam314
Adam314
I'm not sure...  Note that after changing the "enable integrated windows authentication" option, you have to restart IE for it to take effect.

The only thing in the log that gives a clue is lines 13-14, which says it didn't get a header.

Try with only basic authentication, and see if it works that way.  Then try with only ntlm, and see if that works.
I'm just guessing now, as I don't see anything wrong in the config...
ASKER CERTIFIED SOLUTION
Avatar of jfamoussou
jfamoussou
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Adam314
Adam314
I'm not to familiar with that... I saw this question because of the Perl topic area.  Maybe an Apache or IE expert will know what is going on.  Maybe post a pointer question in each of those topic areas (create 2 pointers, each in only 1 topic area).  Hopefully that will get their attention.
Avatar of jfamoussou
jfamoussou

ASKER

Ok, thank you for your help
Avatar of jfamoussou
jfamoussou

ASKER

I found it, there was in the ssl.conf file a line
'SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0'.  I commented it out, and it started to
work correctly.
Thank you very much adam314

now, it's works but , sometimes the login/password  prompt. I don't know why in the error, ihave this:

 SMB Server connection not open in state 3

i don't understand why every access to any pages, the web server make an authentification. Is there a authCookientlm module for apache2? or other module i can use to avoid this multiple autentication.

thanks
Avatar of Adam314
Adam314
I think the way it works with keep-alive is:
browser makes a connection to server
server asks for username/password
browser asks for username/password, sends to server
browser asks for first page
(browser/server do not disconnect)
browser asks for second page
browser asks for third page
....

If browser waits long enough, the connection will be closed (this is the keep-alive timeout)
When the browser makes a new connection, it will have to start all over.

I also think the IE option "enable integrated windows authentication" allows IE to send the windows login username/password.  If this is the same password your webserver uses, that will save users typing it in.

I don't know of any cookie module though (doesn't mean there isn't one).  
Avatar of jfamoussou
jfamoussou

ASKER

i don't knox if i understood, but :
i change the keepalive timeout to 3600
i change the ssl session cache timeout to 3600
i checked the "enable integrated windows authentication" in IE

Unfortunately at the same page, when the brower load css or gif, i have the login/password prompt. But when i put the right password, it's ok ... but it's not sso. :=)
it's weird, i always have this error message :

[error] SMB Server connection not open in state 3 for /boursorama-crm-web/images/logoBanque.gif
[error] SMB Server connection not open in state 3 for /boursorama-crm-web/js/calendar.js

do you what does it mean?
maybe i must set another timeout or something else...
Avatar of Adam314
Adam314
Unfortunately, I don't.
If it seems to be working for html files, but not gif or js files, look for a setting specific to those file types (either specific to html, or gif/js).