�Turning off authentication in Apache, mod_ntlm style�
2004-10-19, 10:15:00:

Today I worked on a small problem that wasn't really a problem, but bothered me — with mod_ntlm and Apache under Windows (Windows 2000, in this case), every file access was taking three tries to get the file! There were two accesses that came back 401: Authorization Required before access credentials were being sent (or giving a 304: Not Modified and using the cached version).

Sure, it's a little intranet site, so it's fast — files go across quickly. So what if it takes three tries because of NTLM access? Well, first of all, it uses up connections in the server. Memory utilization goes up, response time goes down. Also, we keep a lot of connections to the domain controllers open to do the authorization for things that don't need optimization, like for image files, javascripts and stylesheets. What a waste!

Anyway, around here, we're cheap. If I optimize then maybe I don't have to scrounge another hardware upgrade.

The problem comes from authorization and directory structure access with Apache. Basically, if you set up authentication for one directory, then every subdirectory has the same access credential settings. You can't explicitly turn it off, which to me is considerable suckage.

However, what you can do is change the authentication mechanism. This turns out to be surprisingly helpful.

For example, in my intranet site directory, I set up an .htaccess file that has the following restrictions:

AuthType NTLM
NTLMAuth On
NTLMAuthoritative On
NTLMOfferBasic Off

require valid-user

This turns on NTLM authentication, makes it authoritative and doesn't allow basic authentication (which I use for other things) to bleed through and be used if both hold sway for some reason. Finally, any valid user on the domain is allowed access, although I could restrict this by group or just to certain users, as with any other normal HTTP authentication scheme.

This was what was causing the problems with images and files, though. This is fine for content and scripts, but why use authentication just to see images? That needlessly slows down load times for users and increases the stress on the server.

What I ended up doing in my .htaccess file was telling the server that I allow anybody to come in.

AuthType NTLM
NTLMAuth Off

satisfy any

Basically, this says I am still using NTLM (you have to specify some authentication scheme - you can't leave it out, else your parent directory's authentication scheme takes over), but I don't want to use it. Finally, I tell it to satisfy any of these conditions. Just turning NTLM off without satisfy any caused a 500: Internal Server Configuration Error response to all the requests in the affected directories, probably because mod_ntlm expects the additional satisfaction information in the .htaccess file but didn't see it, so it threw an error.

All in all, a win! I can turn off authentication after all!

So what'd I get for it? My logs don't grow so quickly, which is a (small) benefit. The page, with about 40 images, loads about a second faster, which means a lot to me. Best of all, I have some control so I can publish content outside the site if I want to.

However, I suspect that this will work with other authentication schemes. I need to check it out and see if that is the case. Home is an Apache under Linux model, so it gives me a good laboratory for such experiments.