adLDAP - LDAP authentication with PHP for Active Directory Logo


mod_auth_ntlm_winbind is a project coming out of the wonderful world of Samba. Basically mod_auth_ntlm_winbind has taken the reins for Mod_NTLM because they're probably the most qualified to do so :)

It's not a 5 second answer, but unfortunately the configuration is out of necessity and it does work.

  1. Install Samba 3, Kerberos, SSL (just use apt/up2date/yum/emerge etc)

The fine print: mod_auth_ntlm_winbind does not work over HTTPS, you need to header redirect them to HTTP for authentication, and then header redirect them back into HTTPS


mod_auth_kerb information is incomplete, people are encouraged to contribute to this area. see the below links for more information

  1. Install Kerberos, SSL (just use apt/up2date/yum/emerge etc)
  2. Configure Kerberos
  3. Setup mod_auth_kerb

The fine print: mod_auth_kerb requires you to setup an AD user account with ticket delegation authority for each HTTP domain (eg. if there are 10 domains on the web server, you will need to setup 10 user accounts).

More information on mod_auth_kerb is available at the project website
Information on implementing mod_auth_kerb with Active Directory is available at

See also:

Here's an example on how to achieve seamless authentication in DokuWiki by using mod_auth_kerb and adLDAP:

Apache on Windows with mod_auth_sspi

mod_auth_sspi can provide seamless authentication for Apache on Windows. It's relatively undocumented though and we haven't tried it, so please refer to for more information.

This configuration is working for me: mod_auth_sspi v1.0.4 Apache v2.2.16 with SSL and I'm using HTTPS. PHP 5.3.3

<Directory "path_to_site">
  Order deny,allow
  Allow from all

  AuthName "Intranet"
  AuthType SSPI
  SSPIAuth On
  SSPIAuthoritative On
  SSPIOfferBasic On
  #BEGIN VERY IMPORTANT prevents IE from dropping post requests
  SSPIPerRequestAuth On
  require valid-user

  Options Indexes FollowSymLinks
  AllowOverride All

The webserver needs to be connected to the domain.


Remove anonymous access from the directory with the IIS management console, the username is available with $_SERVER[“LOGON_USER”].

Note that Windows Server 2008 (including R2) does not come with Windows Authentication enabled by default. It has to be added as a Role Service from the Windows Server Manager.

Seamless authentication with Apache on Windows can be achieved with mod-auth-sspi

Token Authentication with IIS

IIS and NTLM authentication “just work”. If _you_ can't skin the cat, find someone else to do it for you. This was really a round-about solution until mod_auth_ntlm_winbind was released.

This is a basic breakdown. Although most people wouldn't use it in production anymore, it's an interesting way of doing authentication.

  1. Find a Windows machine for authentication
  2. Install IIS/PHP
  3. Enable OpenSSL in php.ini and restart IIS
  4. Install OpenSSL on the webserver
  5. Generate an RSA key pair
  6. Install Apache/PHP on the webserver (requires OpenSSL support compiled into PHP)
  • The browser arrives at the Apache webserver, generate a random string and store it in the session, encrypt and base64 encode it, and flick them to the IIS webserver with the encoded token.
  • The IIS webserver authenticates them, then decodes and decrypts the token, adds the username to it, encrypts and encodes the new token and flicks them back to the Apache webserver with the new token
  • The Apache webserver decodes and decrypts the token, checks the random string against the one in their session, and then stores their username in the session and redirects to the menu.


Mod_NTLM works, but only some of the time when you're using it in a Windows 2000 or above environment, although it probably works quite well for NT4. There's some issue that prevents it working _every_ time, and when it doesn't authenticate correctly, the user gets a username/password/domain login dialogue. The user keeps putting in their password and you start getting account lockouts, and even when you unlock it you may still not get them in. This may not be Mod_NTLM's fault, I (scott) suspect it's some problem caused by Internet Explorer's header authentication changing between versions, but either way it's not something you could put in production.

The Mod_NTLM project appears to be deprecated by mod_auth_ntlm_winbind

Mod_NTLM is available at

seamless_authentication.txt · Last modified: 2013/12/04 10:41 by
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki