Ridiculously simple NTLM Authentication for Apache (Ubuntu)

We all know Ubuntu makes things amazingly simple. This is the best I’ve found so far. NTLM authentication in Apache used to take a while to setup, it used to be tricky, fiddly – generally a bit hit and miss.

Now, in Ubuntu all we need to do is install libapache2-authenntlm-perl

apt-get install libapache2-authenntlm-perl


Now just edit your apt-get’ed Apache installation and modify your Directory options

nano /etc/apache2/sites-enabled/000-default


<Directory />
        Options FollowSymLinks
	AllowOverride None
	  PerlAuthenHandler Apache2::AuthenNTLM
	  AuthType ntlm
	  AuthName "Hill Hire plc"
	  require valid-user
	  PerlAddVar ntdomain "!!DOMAIN NAME!! !!LOGON SERVER!!"
	  PerlSetVar defaultdomain !!DOMAIN NAME!! 
	  PerlSetVar ntlmsemtimeout 2
	  PerlSetVar ntlmdebug 1
	  PerlSetVar splitdomainprefix 1

Restart apache and your on tea isn’t even cool enough to drink yet.

Author: Kieran Barnes

Kieran is a PHP developer with 15 years commercial experience. Specialist in WordPress, CakePHP, CubeCart and all things PHP.

7 thoughts on “Ridiculously simple NTLM Authentication for Apache (Ubuntu)”

  1. It works fine, but I always get the following error in the log:

    [error] Bad/Missing NTLM/Basic Authorization Header for /test.php

    How to get rid of it?

  2. not sure why I’m getting this message, even apt-get reported libapache2-authenntlm-perl is installed and current.

    Invalid command ‘PerlAuthenHandler’, perhaps misspelled or defined by a module not included in the server configuration
    Action ‘start’ failed.

  3. Endre, mine is ok too, but with that error message. Looking on the web I saw this:

    “I have the same error messages in logs while NTLM auth works just OK. I poke to the code an it seems like just a debug message that gets logged as an error by Apache (while it’s not an error). The idea is that the first request coming from a HTTP-client is surely lacking NTLM/basic auth header, then the actual auth’n takes place and then all subsequent requests go with the right header.”

    So, I think we just ignore the error?

  4. Hi there, I get: “[Wed May 25 11:13:25 2011] [error] Connect to SMB Server failed (pdc = ndc01dc.nextdc.local bdc = domain = nextdc.local error = -11/0) for /”

    Is there any requirement at the ad end? I have tried a heap of ways to do this and they all have failed…

    Any help/ideas would be appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *