Single Sign-On with Apache and Active Directory – Part 1

This HowTo will describe how to setup single sign-on authentication with Apache and Microsoft Active Directory. Most of you are probably aware that there is no default/built-in support for automatically authenticating to an Apache web server using the NTLM header information passed from the web browser (in most cases Microsoft Internet Explorer) to the Web Server. Microsoft IIS of course supports this out of the box but who wants to use IIS? There are as I have found 3 major solutions for achieving this and I will outline which I picked and why.

First I’ll start by explaining which solution I selected and why. There are 3 major solutions for this which are mod_ntlm, mod_auth_kerb and Apache2:AuthenNTLM. I have chosen Apache2:AuthenNTLM. Now as for the why…I bypassed mod_auth_kerb instantly after reading that it required a working winbind setup. Keep in mind that I am looking for an easy quick setup, and configuring winbind first does not fall into that realm of a quick and easy setup. Next I tried mod_ntlm which seemed to be very easy to setup and worked well. But there was one catch…If the browser did not send the NTLM information or correct NTLM information¹ the user had to login with the username in the form of DOMAIN\username. In my experience with applications already in place they did not require this form of DOMAIN\username. This could be resolved if you could specify the default domain in mod_ntlm which you cannot. Reading the documentation for Apache2:AuthenNTLM you could specify the default domain as well as many other options that are not available in mod_ntlm. Configuration proved to be a little tricky, but if it weren’t I wouldn’t be writing this HowTo. Now as you may have noticed from the naming syntax of Apache2:AuthenNTLM that it is indeed a perl module. Now as we are using Apache2:AuthenNTLM it will require mod_perl2 which is not included with CentOS4 or RHEL4.

Now for the HowTo:

1) Start by installing Apache and mod_perl by issuing the following commands:

shell> yum install httpd
shell> wget http://sivel.net/repo/i386/mod_perl-2.0.3-1.el4.sn.i386.rpm
shell> rpm -Uvh mod_perl-2.0.3-1.el4.sn.i386.rpm

2) Next we need to install the Apache2:AuthenNTLM module

shell> wget http://sivel.net/repo/i386/perl-Apache2-AuthenNTLM-0.02-1.el4.sn.i386.rpm
shell> rpm -Uvh perl-Apache2-AuthenNTLM-0.02-1.el4.sn.i386.rpm

3) Now we need to configure Apache to use Apache2:AuthenNTLM

shell> cd /etc/httpd/conf.d
shell> touch ntlm.conf
shell> vi ntlm.conf

• Add the following information:

<location
 
/
directory
>
 # Change this to the directory you wish to protect.  Can be /
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm,basic
AuthName Basic
require valid-user
#                    domain  pdc  bdc
PerlAddVar ntdomain "DOMAIN  dc1  dc2" # Change DOMAIN to the netbios name of your domain.  Change dc1 and dc2 to the hostnames of the domain controllers for your domain.  dc2 is not required if your setup does not have a dc2.
PerlSetVar defaultdomain DOMAIN # Change DOMAIN to the netbios name of your domain
PerlSetVar splitdomainprefix 1

</location>

shell> vi /etc/httpd/conf/httpd.conf
Find ‘KeepAlive Off’ and change it to ‘KeepAlive On’

4) Now we need to modify /etc/resolv.conf

shell> vi /etc/resolv.conf

• We need to make sure that it looks like the following:

search domain.lan
nameserver 10.0.0.1
nameserver 10.0.0.2

• Where domain.lan is your Active Directory domain name and the nameservers are the name servers for your Active Directory (usually the domain controllers)

5) Let’s start Apache

shell> /etc/init.d/httpd start

6) Let’s setup a simple test page that will utilize the server environment variable that AuthenNTLM sets.

shell> cd /path/set/in/step/3
shell> touch index.php
shell> vi index.php

• Insert the following information:

<? php
echo "You have logged in as <b>" . $_SERVER [ 'REMOTE_USER' ] . "</b>;" ;
?>

• If you do not see your username then you don’t have something in step 3 setup correctly. If you get a login prompt check the footnotes below.

Part 2

Footnotes
1. Getting a login prompt can be caused by using Firefox with the default configuration, not being logged on in the domain that you are attempting to authenticate against, or not having the site listed in the Local Intranet security zone in Internet Explorer. Or worst of all you could have mis configured something in step 3. You can turn on debug information by adding ‘PerlSetVar ntlmdebug 2′ to step 3. Debugging will log to /var/log/httpd/error_log.