ntlm authentification problem in ie6 with apache 2 on linux sarge

hello,

I need to authenticate my windows 2000 domain users on our web server. this server is configured with apache 2.0.54 on debian sarge.
I used the Apache2::AuthenNTLM perl module, because the mod_auth_ntlm  doesn't work.
I think i installed and configured successfully, but th authentication doesn't work with msie6.
When i try to test with firefox, i have the login/password prompt and after put the right  login/password it's work.
i test too, with the wfetch.exe windows utility, it's work too.
But when  i use ie6, first i haven't the login/password prompt and i have the "The Page Cannot Be Displayed" error page.
I think i missed something, but i don't know what.

could you help me, please?

regards
<Location "/" >
                Order Deny,Allow
                Allow from all
                PerlAuthenHandler Apache2::AuthenNTLM
                PerlAddVar ntdomain "boursorama bsrsvdctest"
                PerlSetVar splitdomainprefix 1
                PerlSetVar ntlmdebug 2
                PerlSetVar ntlmauthoritative on
                PerlSetVar defaultdomain boursorama
                PerlSetVar ntlmsemtimeout 10
                AuthType ntlm,basic
                AuthName "Private Area"
                require valid-user
</Location>

Open in new window

jfamoussouAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam314Commented:
Do you have keepalive turned off?  If so, that is the problem... you'll have to turn keepalive on, and restart apache.

If you have keepalive on, what info is in the log?
0
jfamoussouAuthor Commented:
thanks for you reply, but i already set keepalive to on. I attached the apache.conf and the virtual host conf.
below you can see the apache  info log.
thanks for your help

[Tue Feb 05 15:03:35 2008] [info] Connection to child 13 established (server pfrweb001.boursorama.fr:443, client 10.3.245.39)
[Tue Feb 05 15:03:35 2008] [info] Seeding PRNG with 136 bytes of entropy
[15583] AuthenNTLM: Start NTLM Authen handler pid = 15583, connection = 138988768 conn_http_hdr = Keep-Alive  main =  cuser =  remote_ip = 10.3.245.39 remote_port = 13365 remote_host = <> version = 0.02 smbhandle = 
[15583] AuthenNTLM: Setup new object
[15583] AuthenNTLM: Config Domain = boursorama  pdc = bsrsvdctest  bdc = 
[15583] AuthenNTLM: Config Default Domain = boursorama
[15583] AuthenNTLM: Config Fallback Domain = 
[15583] AuthenNTLM: Config AuthType = ntlm,basic AuthName = Private Area
[15583] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 1
[15583] AuthenNTLM: Config NTLMAuthoritative = on  BasicAuthoritative = on
[15583] AuthenNTLM: Config Semaphore key = 23754 timeout = 10
[15583] AuthenNTLM: Config SplitDomainPrefix = 1
[15583] AuthenNTLM: Authorization Header <not given>
[Tue Feb 05 15:03:35 2008] [error] Bad/Missing NTLM/Basic Authorization Header for /Accueil/
[Tue Feb 05 15:03:35 2008] [info] Connection to child 13 closed with standard shutdown(server pfrweb001.boursorama.fr:443, client 10.3.245.39)
[Tue Feb 05 15:03:35 2008] [info] Connection to child 76 established (server pfrweb001.boursorama.fr:443, client 10.3.245.39)
[Tue Feb 05 15:03:35 2008] [info] Seeding PRNG with 136 bytes of entropy
[15585] AuthenNTLM: Start NTLM Authen handler pid = 15585, connection = 140148040 conn_http_hdr = Keep-Alive  main =  cuser =  remote_ip = 10.3.245.39 remote_port = 13365 remote_host = <> version = 0.02 smbhandle = 
[15585] AuthenNTLM: Setup new object
[15585] AuthenNTLM: Config Domain = boursorama  pdc = bsrsvdctest  bdc = 
[15585] AuthenNTLM: Config Default Domain = boursorama
[15585] AuthenNTLM: Config Fallback Domain = 
[15585] AuthenNTLM: Config AuthType = ntlm,basic AuthName = Private Area
[15585] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 1
[15585] AuthenNTLM: Config NTLMAuthoritative = on  BasicAuthoritative = on
[15585] AuthenNTLM: Config Semaphore key = 23754 timeout = 10
[15585] AuthenNTLM: Config SplitDomainPrefix = 1
[15585] AuthenNTLM: Authorization Header NTLM TlRMTVNTUAABAAAAB7IAoAoACgAnAAAABwAHACAAAABCU1JXNDg1Qk9VUlNPUkFNQT==
[15585] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 178 0 160 10 0 10 0 39 0 0 0 7 0 7 0 32 0 0 0 66 83 82 87 52 56 53 66 79 85 82 83 79 82 65 77 65
[15585] AuthenNTLM: protocol=NTLMSSP, type=1, flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET), flags2=178(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=10, domain offset=39, host length=7, host offset=32, host=BSRW485, domain=BOURSORAMA
[15585] handler type == 1 
[15585] AuthenNTLM: Connect to pdc = bsrsvdctest bdc =  domain = boursorama
[15585] AuthenNTLM: enter lock
[15585] AuthenNTLM: verify handle  smbhandle == 139124400 
[15585] AuthenNTLM: Send: 78 84 76 77 83 83 80 0 2 0 0 0 0 0 0 0 40 0 0 0 1 130 0 0 76 164 241 15 146 119 126 52 0 0 0 0 0 0 0 0
[15585] AuthenNTLM: charencoding = 1
[15585] AuthenNTLM: flags2 = 130
[15585] AuthenNTLM: nonce=L¤ñw~4
[15585] AuthenNTLM: Send header: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAATKTxD5J3fjQAAAAAAAAAAA==
[15585] AuthenNTLM: verify handle = 1 smbhandle == 139124400 
[Tue Feb 05 15:03:35 2008] [info] Connection to child 76 closed with standard shutdown(server pfrweb001.boursorama.fr:443, client 10.3.245.39)
[Tue Feb 05 15:03:35 2008] [info] Connection to child 14 established (server pfrweb001.boursorama.fr:443, client 10.2.53.252)
[Tue Feb 05 15:03:35 2008] [info] Seeding PRNG with 136 bytes of entropy

Open in new window

apache2.conf.txt
crm.txt
0
jfamoussouAuthor Commented:
I add the wfetch log, maybe it can help.
started....
Reusing existing connection (source port 1989)\n
SEC_I_CONTINUE_NEEDED - InitializeSecurityContext\n
REQUEST: **************\n
GET / HTTP/1.1\r\n
Host: pfrweb001\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM TlRMTVNTUAABAAAAl4II4AAAAAAAAAAAAAAAAAAAAAA=\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 200 OK\r\n
Date: Tue, 05 Feb 2008 15:16:13 GMT\r\n
Server: Apache/2.0.54 (Debian GNU/Linux) mod_auth_kerb/5.0-rc6 mod_ssl/2.0.54 OpenSSL/0.9.7e mod_jk/1.2.19 mod_perl/2.0.2 Perl/v5.8.4\r\n
Last-Modified: Fri, 20 Jan 2006 11:26:48 GMT\r\n
ETag: "129148-9d4-8e8a2e00"\r\n
Accept-Ranges: bytes\r\n
Content-Length: 2516\r\n
Keep-Alive: timeout=180\r\n
Connection: Keep-Alive\r\n
Content-Type: text/html\r\n
\r\n
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"\n
"http://www.w3.org/TR/html4/loose.dtd">\n
<html>\n
\t<head>\n
\t\t<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">\n
\t\t<title>Boursorama CRM</title>\n
\t\t\n
\t\t<link rel="stylesheet" type="text/css" href="feuille.css">\n
\t</head>\n
\t<body>\n
<!-- Debut bandeau -->\n
<form name="" action="" method="">\n
<input type="hidden" name="typeAction" value=""/> \n
\t<div class="barreTitre">\n
\t\t<table cellpadding="0" cellspacing="0" width="100%">\n
\t\t\t<tr>\n
\t\t\t\t<td rowspan="2" width="15%"><a href="/"><img src="logoBanque.gif"></a></td>\n
\t\t\t\t<td rowspan="2" width="52%" valign="top">\n
\t\t\t\t<!-- D}but menu -->\n
\t\t\t\t\t<div id="menu">\n
\t\t\t\t\t\t<dl>\n
\t\t\t\t\t\t\t  <dt onmouseover=""><a href="/boursorama-crm-web/"><b>CRM</b></a></dt>\n
\t\t\t\t\t\t\t  \t<dd id="smenu1" onmouseover="" onmouseout= "">\n
\t\t\t\t\t\t\t\t\t<ul>\n
\t\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t\t</ul>\n
\t\t\t\t\t\t\t\t</dd>\n
\t\t\t\t\t\t</dl>\n
\t\t\t\t\t\t<dl>\n
\t\t\t\t\t\t\t  <dt onmouseover=""><a href="/risk/"><b>RISK</b></a></dt>\n
\t\t\t\t\t\t\t  \t<dd id="smenu2" onmouseover="" onmouseout= "">\n
\t\t\t\t\t\t\t\t\t<ul>\n
\t\t\t\t\t\t\t\t\t  \t\t\t\t\t\t\t\n
\t\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t\t</ul>\n
\t\t\t\t\t\t\t\t</dd>\n
\t\t\t\t\t\t</dl>\n
\t\t\t\t\t\t<dl>\n
\t\t\t\t\t\t\t  <dt onmouseover=""><a href="/gdesktop/"><b>CTI</b></a></dt>\n
\t\t\t\t\t\t\t  <dd id="smenu3" onmouseover="" onmouseout= "">\n
\t\t\t\t\t\t\t\t<ul>\n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t</ul>\n
\t\t\t\t\t\t\t  </dd>\n
\t\t\t\t\t\t</dl>\n
\t\t\t\t\t\t<dl>\n
\t\t\t\t\t\t\t  <dt onmouseover=""><a href="https://directory/"><b>Annuaire</b></a></dt>\n
\t\t\t\t\t\t\t  <dd id="smenu4" onmouseover="" onmouseout= "">\n
\t\t\t\t\t\t\t\t<ul>\n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t</ul>\n
\t\t\t\t\t\t\t  </dd>\n
\t\t\t\t\t\t</dl>\n
\t\t\t\t\t\t<dl>\n
\t\t\t\t\t\t\t  <dt onmouseover=""><a href="https://intranet/webmail/"><b>WebMail</b></a></dt>\n
\t\t\t\t\t\t\t  <dd id="smenu5" onmouseover="" onmouseout= "">\n
\t\t\t\t\t\t\t\t<ul>\n
\t\t\t\t\t\t\t\t  \n
\t\t\t\t\t\t\t\t</ul>\n
\t\t\t\t\t\t\t  </dd>\n
\t\t\t\t\t\t</dl>\n
\t\t\t\t  </div>\n
\t\t\t\t  <!-- fin menu -->\n
\t\t\t\t</td>\n
\t\t\t\t<td width="29%" align="right" valign="top">Aller &agrave;:\n
\t\t\t      <input name="" type="text">\n
\t\t\t      <input type="submit" name="" value="Ok">\n
\t\t\t  </td>\n
\t\t\t</tr>\n
\t\t\t<tr>\n
\t\t\t\t<td align="right"></td>\n
\t\t\t</tr>\n
\t\t</table>\n
</div>\n
</form>\n
\n
<!-- fin bandeau -->\n
<!-- D}but contenu de la page -->\n
\n
<div class="principale">\n
    </td>\n
    </tr>\n
    </table>\n
    <table width="99%" border=0 cellpadding="0" cellspacing="0">\n
      <tr height="500" valign="center">\n
        <td align="center" height="100%"><H1>Boursorama</H1></td>\n
      </tr>\n
    </table>\n
</div>\n
\n
\n
\n
\n
<!-- fin contenu de la page-->\n
</body>\n
</html>\n
finished.

Open in new window

0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Adam314Commented:
In your internet options, do you have "Enable integrated windows authentication" turned on?  (From IE: select internet options, go to the advanced tab, look for the option in the list).  If on, try with it off... if off, try with it on.
0
jfamoussouAuthor Commented:
it was turned off. I try with it on , but i always have the "The Page Cannot Be Displayed". And try to put the site in the "intranet local" and it's the same problem.
I tested whith ie 7, when i disabled "Enable integrated windows authentication" option i have the login/password prompt, but when i put the login and password, i have the same error.
I don't understand, why it doesn't work with msie.
0
Adam314Commented:
I'm not sure...  Note that after changing the "enable integrated windows authentication" option, you have to restart IE for it to take effect.

The only thing in the log that gives a clue is lines 13-14, which says it didn't get a header.

Try with only basic authentication, and see if it works that way.  Then try with only ntlm, and see if that works.
I'm just guessing now, as I don't see anything wrong in the config...
0
jfamoussouAuthor Commented:
yes, there is a half of light.... it works with "basic". But it doesn't work with "ntlm".
with basic, i have the prompt login/password and works when i put a good login/password.
But with ntlm only, i have "The Page Cannot Be Displayed" again.
so I can't use SSO, with ntlm?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Adam314Commented:
I'm not to familiar with that... I saw this question because of the Perl topic area.  Maybe an Apache or IE expert will know what is going on.  Maybe post a pointer question in each of those topic areas (create 2 pointers, each in only 1 topic area).  Hopefully that will get their attention.
0
jfamoussouAuthor Commented:
Ok, thank you for your help
0
jfamoussouAuthor Commented:
I found it, there was in the ssl.conf file a line
'SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0'.  I commented it out, and it started to
work correctly.
Thank you very much adam314

now, it's works but , sometimes the login/password  prompt. I don't know why in the error, ihave this:

 SMB Server connection not open in state 3

i don't understand why every access to any pages, the web server make an authentification. Is there a authCookientlm module for apache2? or other module i can use to avoid this multiple autentication.

thanks
0
Adam314Commented:
I think the way it works with keep-alive is:
browser makes a connection to server
server asks for username/password
browser asks for username/password, sends to server
browser asks for first page
(browser/server do not disconnect)
browser asks for second page
browser asks for third page
....

If browser waits long enough, the connection will be closed (this is the keep-alive timeout)
When the browser makes a new connection, it will have to start all over.

I also think the IE option "enable integrated windows authentication" allows IE to send the windows login username/password.  If this is the same password your webserver uses, that will save users typing it in.

I don't know of any cookie module though (doesn't mean there isn't one).  
0
jfamoussouAuthor Commented:
i don't knox if i understood, but :
i change the keepalive timeout to 3600
i change the ssl session cache timeout to 3600
i checked the "enable integrated windows authentication" in IE

Unfortunately at the same page, when the brower load css or gif, i have the login/password prompt. But when i put the right password, it's ok ... but it's not sso. :=)
it's weird, i always have this error message :

[error] SMB Server connection not open in state 3 for /boursorama-crm-web/images/logoBanque.gif
[error] SMB Server connection not open in state 3 for /boursorama-crm-web/js/calendar.js

do you what does it mean?
maybe i must set another timeout or something else...
0
Adam314Commented:
Unfortunately, I don't.
If it seems to be working for html files, but not gif or js files, look for a setting specific to those file types (either specific to html, or gif/js).
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.