Ridiculously simple NTLM Authentication for Apache (Ubuntu)

We all know Ubuntu makes things amazingly simple. This is the best I’ve found so far. NTLM authentication in Apache used to take a while to setup, it used to be tricky, fiddly – generally a bit hit and miss.

Now, in Ubuntu all we need to do is install libapache2-authenntlm-perl

[codesyntax lang=”bash”]
apt-get install libapache2-authenntlm-perl


Now just edit your apt-get’ed Apache installation and modify your Directory options

[codesyntax lang=”bash”]
nano /etc/apache2/sites-enabled/000-default

apac[codesyntax lang=”apache”]
<Directory />
Options FollowSymLinks
AllowOverride None

PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm
AuthName “Hill Hire plc”
require valid-user
PerlAddVar ntdomain “!!DOMAIN NAME!! !!LOGON SERVER!!”
PerlSetVar defaultdomain !!DOMAIN NAME!!
PerlSetVar ntlmsemtimeout 2
PerlSetVar ntlmdebug 1
PerlSetVar splitdomainprefix 1


Restart apache and your on tea isn’t even cool enough to drink yet.

Author: Kieran Barnes

Kieran is a PHP developer with 15 years commercial experience. Specialist in WordPress, CakePHP, CubeCart and all things PHP.

7 thoughts on “Ridiculously simple NTLM Authentication for Apache (Ubuntu)”

  1. It works fine, but I always get the following error in the log:

    [error] Bad/Missing NTLM/Basic Authorization Header for /test.php

    How to get rid of it?

  2. not sure why I’m getting this message, even apt-get reported libapache2-authenntlm-perl is installed and current.

    Invalid command ‘PerlAuthenHandler’, perhaps misspelled or defined by a module not included in the server configuration
    Action ‘start’ failed.

  3. Endre, mine is ok too, but with that error message. Looking on the web I saw this:

    “I have the same error messages in logs while NTLM auth works just OK. I poke to the code an it seems like just a debug message that gets logged as an error by Apache (while it’s not an error). The idea is that the first request coming from a HTTP-client is surely lacking NTLM/basic auth header, then the actual auth’n takes place and then all subsequent requests go with the right header.”

    So, I think we just ignore the error?

  4. Hi there, I get: “[Wed May 25 11:13:25 2011] [error] Connect to SMB Server failed (pdc = ndc01dc.nextdc.local bdc = domain = nextdc.local error = -11/0) for /”

    Is there any requirement at the ad end? I have tried a heap of ways to do this and they all have failed…

    Any help/ideas would be appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *