Sfiggins: Created page with "== Background
== If you need your CGI scripts to know the remote (web client) user who is running IE under Windows, NTLM is a convenient protocol to use. The user..."

2015-10-04T20:12:02Z

Created page with "== Background == If you need your CGI scripts to know the remote (web client) user who is running IE under Windows, NTLM is a convenient protocol to use. The user..."

New page

== Background ==

If you need your CGI scripts to know the remote (web client) user who is running IE under Windows, NTLM is a convenient protocol to use.  The user will not need to enter his credentials.  The CGI script can access the username in the REMOTE_USER environment variable.

Note that NTLMv1 is vulnerable to cracking.  It was replaced with NTLMv2 in the Vista timeframe.

While there are many apparent alternatives to enable this functionality on RHEL/Apache servers, only one (at the time of this writing) cleanly supports NTLMv2 - a python module called PyAuthenNTLM2.

== Install ==

'''Note that this procedure was done on a RHEL6/httpd (apache) box'''

Become root

yum install httpd-devel yum install python-devel yum install python-crypto wget http://archive.apache.org/dist/httpd/modpython/mod_python-3.3.1.tgz tar zxf mod_python-3.3.1.tgz cd mod_python-3.3.1 vi src/connobject.c   change      b == APR_BRIGADE_SENTINEL(b)   to      b == APR_BRIGADE_SENTINEL(bb) ./configure --with-apxs=/usr/sbin/apxs make make install 

cd .. wget https://github.com/Legrandin/PyAuthenNTLM2/archive/master.zip unzip master cd PyAuthenNTLM2-master python setup.py install 

cd /etc/httpd/conf.d/ cat >ntlm2.conf <Location />         AuthType NTLM         AuthName TWTELECOM         require valid-user         PythonAuthenHandler pyntlm         PythonOption Domain TWTELECOM         PythonOption PDC srvdendc5         PythonOption BDC srvdendc1 </Location> ^D

(The AuthName is whatever you want.  The DCs should be near the server)

 cd ../conf vi httpd.conf   Change      KeepAlive Off   To      KeepAlive On   At the end of the LoadModules section insert      LoadModule python_module modules/mod_python.so 

apachectl configtest

  (fix any errors and retry before continuing) 

/etc/init.d/httpd restart   (apachectl graceful doesn't quite do the job for whatever reason) 

== Test ==

cd /var/www/cgi-bin/ cat >whoami.cgi #!/bin/sh printf "Content-type: text/html\n\n$REMOTE_USER\n" ^D chmod 755 whoami.cgi

On your Windows PC, using IE, open the url http://yourserver/cgi-bin/whoami.cgi Verify that you windows username is displayed If it isn't, follow the steps in:   https://github.com/Legrandin/PyAuthenNTLM2#troubleshooting '''Important: You must completely exit IE and bring it back up with each test'''

Enabling NTLM authentication under RHEL/Apache - Revision history

Sfiggins: Created page with "== Background == If you need your CGI scripts to know the remote (web client) user who is running IE under Windows, NTLM is a convenient protocol to use. The user..."

Sfiggins: Created page with "== Background
== If you need your CGI scripts to know the remote (web client) user who is running IE under Windows, NTLM is a convenient protocol to use. The user..."