Ridiculously simple NTLM Authentication for Apache (Ubuntu)

We all know Ubuntu makes things amazingly simple. This is the best I’ve found so far. NTLM authentication in Apache used to take a while to setup, it used to be tricky, fiddly – generally a bit hit and miss.

Now, in Ubuntu all we need to do is install libapache2-authenntlm-perl

apt-get install libapache2-authenntlm-perl


Now just edit your apt-get’ed Apache installation and modify your Directory options

nano /etc/apache2/sites-enabled/000-default


<Directory />
        Options FollowSymLinks
	AllowOverride None
	  PerlAuthenHandler Apache2::AuthenNTLM
	  AuthType ntlm
	  AuthName "Hill Hire plc"
	  require valid-user
	  PerlAddVar ntdomain "!!DOMAIN NAME!! !!LOGON SERVER!!"
	  PerlSetVar defaultdomain !!DOMAIN NAME!! 
	  PerlSetVar ntlmsemtimeout 2
	  PerlSetVar ntlmdebug 1
	  PerlSetVar splitdomainprefix 1

Restart apache and your on tea isn’t even cool enough to drink yet.

6 thoughts on “Ridiculously simple NTLM Authentication for Apache (Ubuntu)

  1. It works fine, but I always get the following error in the log:

    [error] Bad/Missing NTLM/Basic Authorization Header for /test.php

    How to get rid of it?

  2. Cool but it doesn’t work ^^ [error] Wrong password/user (rc=3/1/327681) cool

  3. not sure why I’m getting this message, even apt-get reported libapache2-authenntlm-perl is installed and current.

    Invalid command ‘PerlAuthenHandler’, perhaps misspelled or defined by a module not included in the server configuration
    Action ‘start’ failed.

  4. Endre, mine is ok too, but with that error message. Looking on the web I saw this:

    “I have the same error messages in logs while NTLM auth works just OK. I poke to the code an it seems like just a debug message that gets logged as an error by Apache (while it’s not an error). The idea is that the first request coming from a HTTP-client is surely lacking NTLM/basic auth header, then the actual auth’n takes place and then all subsequent requests go with the right header.”

    So, I think we just ignore the error?

  5. Graham Ernst

    Hi there, I get: “[Wed May 25 11:13:25 2011] [error] Connect to SMB Server failed (pdc = ndc01dc.nextdc.local bdc = domain = nextdc.local error = -11/0) for /”

    Is there any requirement at the ad end? I have tried a heap of ways to do this and they all have failed…

    Any help/ideas would be appreciated.

  6. Graham Ernst: as pdc enter ndc01dc (without domain)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>