Table of Contents
mod_auth_ntlm_winbind is a project coming out of the wonderful world of Samba. Basically mod_auth_ntlm_winbind has taken the reins for Mod_NTLM because they're probably the most qualified to do so :)
It's not a 5 second answer, but unfortunately the configuration is out of necessity and it does work.
The fine print: mod_auth_ntlm_winbind does not work over HTTPS, you need to header redirect them to HTTP for authentication, and then header redirect them back into HTTPS
mod_auth_kerb information is incomplete, people are encouraged to contribute to this area. see the below links for more information
The fine print: mod_auth_kerb requires you to setup an AD user account with ticket delegation authority for each HTTP domain (eg. if there are 10 domains on the web server, you will need to setup 10 user accounts).
More information on mod_auth_kerb is available at the project website http://modauthkerb.sourceforge.net/
Here's an example on how to achieve seamless authentication in DokuWiki by using mod_auth_kerb and adLDAP: http://www.dokuwiki.org/auth:ad
mod_auth_sspi can provide seamless authentication for Apache on Windows. It's relatively undocumented though and we haven't tried it, so please refer to http://mod-auth-sspi.sourceforge.net/ for more information.
This configuration is working for me: mod_auth_sspi v1.0.4 Apache v2.2.16 with SSL and I'm using HTTPS. PHP 5.3.3
<Directory "path_to_site"> Order deny,allow Allow from all AuthName "Intranet" AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOfferBasic On #BEGIN VERY IMPORTANT prevents IE from dropping post requests SSPIPerRequestAuth On #END VERY IMPORTANT require valid-user Options Indexes FollowSymLinks AllowOverride All </directory>
The webserver needs to be connected to the domain.
Remove anonymous access from the directory with the IIS management console, the username is available with $_SERVER[“LOGON_USER”].
Note that Windows Server 2008 (including R2) does not come with Windows Authentication enabled by default. It has to be added as a Role Service from the Windows Server Manager.
Seamless authentication with Apache on Windows can be achieved with mod-auth-sspi
IIS and NTLM authentication “just work”. If _you_ can't skin the cat, find someone else to do it for you. This was really a round-about solution until mod_auth_ntlm_winbind was released.
This is a basic breakdown. Although most people wouldn't use it in production anymore, it's an interesting way of doing authentication.
Mod_NTLM works, but only some of the time when you're using it in a Windows 2000 or above environment, although it probably works quite well for NT4. There's some issue that prevents it working _every_ time, and when it doesn't authenticate correctly, the user gets a username/password/domain login dialogue. The user keeps putting in their password and you start getting account lockouts, and even when you unlock it you may still not get them in. This may not be Mod_NTLM's fault, I (scott) suspect it's some problem caused by Internet Explorer's header authentication changing between versions, but either way it's not something you could put in production.
The Mod_NTLM project appears to be deprecated by mod_auth_ntlm_winbind
Mod_NTLM is available at http://modntlm.sourceforge.net.