�Keep it real, or just KeepAlive for NTLM�
2003-09-24, 15:00:00:

I am upgrading one of my web servers here at work. They run under Windows 2000 and run Apache 1.3.2x. Since we're a Microsoft shop we run Active Directory, so for convenience we need to use our NT domain sign-ins for authentication against the resources on the sites I maintain.

Easier said than done!

There used to be a site called syneapps.com that was run by Tim Costello that offered a module for Apache 1.3.x under Windows NT/2K called mod_ntlm that did the authentication for you. Unfortunately, since then his site has disappeared from the face of the earth and that resource has dried up. He even had one for Apache 2, mod_auth_sspi.

Good thing I have a copy of mod_ntlm, huh? (Wish I had mod_auth_sspi, though...) Well, so I thought. I've been using mod_ntlm on our intranet for quite a while for the authentication, but time came to upgrade one of my servers from PHP 4.0.6 (!) to 4.3.2 with Turck MM Cache 2.4.0 yesterday. I did the upgrade and fixed the scripts that were broken in the process, then tried to turn on mod_ntlm and test that I was being passed the user name.

What'd I get for my trouble? 400 Bad Request.

Huh?!

Of course, I started to look at the configuration of both servers. I turned off PHP, and it still gave me the finger, so that wasn't it. This led me to look into the httpd.conf files of both servers for the solution, and being me, I found it.

The nature of NTLM access is a challenge-response to authenticate. Because of this a request has a negotiation phase before the requested content is sent. It'd be nice if there were a channel to send the content on after the server makes it negotiation request, right?

Well, that's where the lines in the configuration file makes all the difference:

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

I had KeepAlive set to Off - essentially as I understand it (and correct me if I'm wrong), I ask for a page, the server says, "sure, tell me your NT account name," and my machine takes its response as brand new malformed request for basic authentication and sends something unintelligible back. The server doesn't understand, and voila, bad request.

Set KeepAlive to On, and everything is handled as one fluid connection, everything is understood, no broken communications throughout the negotiation.

This only took me four hours of my day to figure out. However, I've also been told that this is equally a problem for mod_auth_smb, mod_ntlm, etc., for Unix - be sure to set KeepAlive On for NT domain authentication under Apache, period!

Some quick notes:

• If you need mod_ntlm, ask me and I'll send you a copy of it.
• I wholeheartedly recommend Turck MM Cache for Unix and Windows. It's been great to me, and the support provided by the author is top-notch. He's a great programmer and very responsive, and cares about his product. I only wish I could offer him some commercial support incentive.
• If you're Tim Costello and not planning on bringing syneapps.com back, would you be willing to let me host mod_ntlm and mod_auth_sspi and forums for their use, any documentation you have on it, etc?