PyAuthenNTLM2 is an authentication module for Apache. It validates a user by means of the NTLM protocol and a separate Domain Controller (or Active Directory server).
License: Other
The current documentation makes a distinction between "Domain Controller" and "Active Directory server" to indicate the different protocols used for validating a user (SMB vs LDAP).
That is not correct and it is quite misleading: an Active Directory Server is always a Domain Controller.
The documentation should be fixed to include the correct Microsoft terminology.
When using PyAuthenNTLM2 master branch, we have a web app which utilises javascript post requests fairly heavily.
If we hit the site normally and trigger the ajax call shortly afterwards I get a log message [Tue Dec 17 15:28:14 2013] [notice] [client 127.0.0.1] PYNTLM: User Joe.Bloggs/TESTDOMAIN has been authenticated to access URI /search, referer: http://broken.site.domain/
If I leave a short period of time before I trigger any ajax calls, the above message is added to the log in first instance, but I get prompted for a Basic Authentication box which wont go away.
This happens in all web browsers.
Can anyone shine any light on this?
Thanks
I am using Ubuntu 14.04 with Apache 2.4.7 and Python 3.4. I am trying to get SSO to work with NTLM. I can get basic authentication to authenticate with Active Directory. I am using this Directory Apache Config:
Directory /var/www/some_directory
AuthType NTLM
AuthName domain.local
require valid-user
PythonAuthenHandler pyntlm
PythonOption Domain domain.local
PythonOption PDC dc1.domain.local
PythonOption BDC dc2.domain.local
/Directory
When I comment out the require valid-user I am able to use basic authentication to authenticate to the site. Yet when I use require valid-user I get an error in apache2/error.log. It does say I authenticate and shows my username/DOMAIN but I get a following error that says "PYNTLM: Authorization failed for username and URI /." Is there an alternative to require valid-user that can be used in the apache2.conf file.
CentOS 7
Apache/2.4.6 (CentOS) mod_python/3.5.0-e9fc930 Python/2.7.5
Problem:
PYNTLM: Error when retrieving Type 2 message from server(192.168.64.1) = [Errno 13] Permission denied
PYNTLM: Exception: Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pyntlm.py", line 233, in connect_to_proxy
ntlm_challenge = proxy.negotiate(type1)
File "/usr/lib/python2.7/site-packages/PyAuthenNTLM2/ntlm_proxy.py", line 75, in negotiate
self._openConnection()
File "/usr/lib/python2.7/site-packages/PyAuthenNTLM2/ntlm_proxy.py", line 46, in _openConnection
self.socket.connect((self.ipaddress, self.port))
File "/usr/lib64/python2.7/socket.py", line 224, in meth
return getattr(self._sock,name)(*args)
error: [Errno 13] Permission denied
Solution:
run the following command as root
setsebool httpd_can_network_connect=1
selinux is enabled by default
Please add this to the troubleshooting checklist.
It might be a good idea to include this in various exception handling contexts. I had to do it to obtain the stack trace:
req.log_error('PYNTLM: Exception: %s' % (traceback.format_exc()), apache.APLOG_CRIT)
Hi,
First of all, I don't know anything about Python, really.
I wanted to deploy your script on a RHEL 5 based machine and found out it would not install because it requires Python 2.6, and RHEL 5 has 2.4; is it correct that it will not work on RHEL5's python?
Mike
Right now, only the user's account name is put into the REMOTE_USER variable, and passed to the underlying application.
It would be nice if there was an option that allowed REMOTE_USER to also include the domain name.
For instance, let's say we have the domain WINDOM and a user John Doe with account name jdoe.
Today, after authentication, the application behind Apache will display 'jdoe'.
In some cases, it is preferable to have 'WINDOM\jdoe'.
Hi All,
I do not know if this is a bug or simply an Apache configuration issue. I use latest PyAuthenNTLM2 and Apache 2.4.10 (Debian Jessie stock).
Here is my problem:
My first idea is HTTP Authentication header is not passed to fcgi. But using the following rewrite rule does not help:
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
It provides an empty HTTP_AUTHORIZATION field. According to Apache debug logs Python processing is skipped:
[Wed Jun 22 09:56:53.261502 2016] [authz_core:debug] [pid 16270] mod_authz_core.c(835): [client 192.168.23.35:64541] AH01628: authorization result: granted (no directives)
[Wed Jun 22 09:56:53.261570 2016] [proxy_fcgi:debug] [pid 16270] mod_proxy_fcgi.c(77): [client 192.168.23.35:64541] AH01060: set r->filename to proxy:fcgi://127.0.0.1:9000/var/www/ntlm/index.sso.php
[Wed Jun 22 09:56:53.261607 2016] [proxy:debug] [pid 16270] mod_proxy.c(1155): [client 192.168.23.35:64541] AH01143: Running scheme fcgi handler (attempt 0)
[Wed Jun 22 09:56:53.261651 2016] [proxy_fcgi:debug] [pid 16270] mod_proxy_fcgi.c(786): [client 192.168.23.35:64541] AH01076: url: fcgi://127.0.0.1:9000/var/www/ntlm/index.sso.php proxyname: (null) proxyport: 0
My Apache virtual host config is:
<VirtualHost *:80>
ServerName myserver.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/ntlm/
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/ntlm/$1
<Directory /var/www/ntlm>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Satisfy any
AuthType NTLM
AuthName "NTLM Authentication"
require valid-user
PythonOption Require valid-user
AddHandler mod_python .py
PythonHandler mod_python.publisher
PythonAuthenHandler pyntlm
PythonOption Domain MYDOMAIN
PythonOption PDC mypdc
PythonOption BDC mybdc
PythonDebug On
</Directory>
LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/ntlm-error.log
CustomLog ${APACHE_LOG_DIR}/ntlm-access.log combined
</VirtualHost>
Any help is appreciated. Thank you very much.
This issue is not related to the other ones concerning apache 2.4. My problem is that PyAuthenNTLM2 seems to be inactive inactive- I get no info in log about it handling connections and $_SERVER["REMOTE_USER"] variable remains empty.
I get no error message on startup, no hint what might be going wrong.
How can i verify that mod_python actually sees PyAuthenNTLM2?
Ensure that mod-python can find pyntlm.py. You should be able to see the following line for each a request, if the log level is set to Info.
[info] [client 127.0.0.1] PYNTLM: Handling connection 0x0 from address 127.0.0.1 for GET URI /mysite/request
We are not seeing this in our logs, but the troubleshooting section doesn't help much in regards to how to debug this problem. mod_python is starting
[notice] mod_python: Creating 8 session mutexes based on 256 max processes and 0 max threads.
but we are not seeing any PYNTLM logging, and our users are not getting any WWW-Authenticate: NTLM header. Any ideas what might be wrong?
Configuration file:
<VirtualHost *:80>
ServerName XXX
ProxyPreserveHost on
KeepAlive On
<Location />
AuthType NTLM
AuthName "Log in with username and password"
require valid-user
PythonAuthenHandler pyntlm
PythonOption Domain TESTZONE2
PythonOption PDC [IP 1]
PythonOption BDC [IP 2]
</Location>
LogLevel debug
</VirtualHost>
Setup:
The 401 response never contains Basic as authentication mechanism, even when you have PyCrypto installed. This is due to the fact that "python setup.py install" does not copy ntlm_client.py over to the relevant directory.
See here for details and a fix:
I've tested the module with both Apache 2.4 (Ubuntu 13.10) and Apache 2.2 (Ubuntu 12.04). Seems like it is not working with Apache 2.4. Although authentication works fine, authorization to view a location "Require valid-user" does not work.
My configuration:
<Directory /var/www/ad-test/>
AuthType NTLM
AuthName "AD-Test"
PythonAuthenhandler pyntlm
PythonOption Domain "TEST"
PythonOption PDC 192.168.10.99
Require valid-user
</Directory>error.log
[Tue Nov 19 13:22:31.192499 2013] [:notice] [pid 31473] [client 127.0.0.1:36344] PYNTLM: User Administrator/TEST has been authenticated to access URI /ad-test/
[Tue Nov 19 13:22:31.192574 2013] [:error] [pid 31473] [client 127.0.0.1:36344] PYNTLM: Authorization failed for Administrator and URI /ad-test/.
I've tried printing the requires passed to pyntlm.py at line 279:
rules = ''.join(req.requires()).strip()
req.log_error('PyNTLM: %s' % (rules))
if rules=='valid-user' or cacheGroups.has(rules, username):and it just outputs nothing more than 'PyNTLM: '
Urlparse modules in python <2.6.6 do not parse correctly ldap URLs (even though http URLs are fine).
As a result, PyAuthenNTLM2 does not work when connecting to an ADS via LDAP.
An untested fix exists on the "urlparse_replacement" branch.
I have two parallel directories configured with access control (config below). In a web browser (IE11) as user 'aaa' I try to access a text file in testgroups2. I correctly get a 403 error. I then access a text file in directory testgroups, and correctly receive this. If I then rapidly hit the back button on the browser I can access the previously denied text file in testgroups2.
<Directory "/var/www/html/testgroups">
AuthType NTLM
AuthName XXX.COM
require user aaa, bbb
require valid-user
PythonAuthenHandler pyntlm
PythonOption Domain XXXX.COM
PythonOption PDC ldap://xxx-dc-01/DC=xxx,DC=com
PythonOption BDC ldap://xxx-dc-02/DC=xxx,DC=com
</Directory>
<Directory "/var/www/html/testgroups2">
AuthType NTLM
AuthName XXX.COM
require user ccc
require valid-user
PythonAuthenHandler pyntlm
PythonOption Domain XXXX.COM
PythonOption PDC ldap://xxx-dc-01/DC=xxx,DC=com
PythonOption BDC ldap://xxx-dc-02/DC=xxx,DC=com
</Directory>
apache2 2.4.18-2ubuntu3.1
libapache2-mod-python 3.3.1-11ubuntu2
python-pyauthenntlm2 2.2-300117
Similar to #12 I was seeing "Unexpected NTLM message Type 3 in new connection", the connection ID seemed to increment before the full NTLM handshake had completed. I've just realised I was using an internal redirect from / to /index.cgi, but this seems unlikely to have broken it.
Where PDC is 192.168.0.1 aka TESTDC.TESTDOMAIN.COM
BDC is 192.168.0.2 aka TESTDC2.TESTDOMAIN.COM
Client machine is 192.168.0.10
Apache config:
Alias /authtests /var/www/authtests
<Directory "/var/www/authtests/ntlm">
Options +ExecCGI
AddHandler cgi-script .cgi
AuthName NTAuth
AuthType NTLM
PythonAuthenHandler pyntlm
PythonOption Domain TESTDOMAIN.COM
PythonOption PDC TESTDC.TESTDOMAIN.COM
PythonOption BDC TESTDC2.TESTDOMAIN.COM
require valid-user
PythonOption Require valid-user
LogLevel info
</Directory>
Before (with PDC deliberately misconfigured to see some logging):
[Sun Feb 19 10:16:22.098205 2017] [:info] [pid 12962:tid 140711507302144] [client 192.168.0.10:54022] PYNTLM: Handling connection 0x40 from address 192.168.0.10 for GET URI /authtests/ntlm/. 0 entries in connection cache.
[Sun Feb 19 10:16:22.125503 2017] [:info] [pid 12962:tid 140711498909440] [client 192.168.0.10:54025] PYNTLM: Handling connection 0x41 from address 192.168.0.10 for GET URI /authtests/ntlm/. 0 entries in connection cache.
[Sun Feb 19 10:16:22.125628 2017] [:info] [pid 12962:tid 140711498909440] [client 192.168.0.10:54025] PYTNLM: Initiating connection to Domain Controller server zzTESTDC.TESTDOMAIN.COM (domain TESTDOMAIN.COM).
[Sun Feb 19 10:16:22.127003 2017] [:crit] [pid 12962:tid 140711498909440] [client 192.168.0.10:54025] PYNTLM: Error when retrieving Type 2 message from server(zzTESTDC.TESTDOMAIN.COM) = [Errno -2] Name or service not known
[Sun Feb 19 10:16:22.127066 2017] [:info] [pid 12962:tid 140711498909440] [client 192.168.0.10:54025] PYTNLM: Initiating connection to Domain Controller server TESTDC2.TESTDOMAIN.COM (domain TESTDOMAIN.COM).
[Sun Feb 19 10:16:22.142896 2017] [:info] [pid 12962:tid 140711490516736] [client 192.168.0.10:54025] PYNTLM: Handling connection 0x42 from address 192.168.0.10 for GET URI /authtests/ntlm/. 1 entries in connection cache.
[Sun Feb 19 10:16:22.142976 2017] [:info] [pid 12962:tid 140711490516736] [client 192.168.0.10:54025] Unexpected NTLM message Type 3 in new connection from address 192.168.0.10 and URI /authtests/ntlm/
With more logging:
[Sun Feb 19 16:43:19.818869 2017] [:info] [pid 14897:tid 140451604592384] [client 192.168.0.10:51753] PYNTLM: Handling connection 0x0 from address 192.168.0.10 for GET URI /authtests/ntlm. 0 entries in connection cache.
[Sun Feb 19 16:43:19.818921 2017] [:info] [pid 14897:tid 140451604592384] [client 192.168.0.10:51753] PYNTLM: Cache: {}
[Sun Feb 19 16:43:19.818943 2017] [:info] [pid 14897:tid 140451604592384] [client 192.168.0.10:51753] PYNTLM: Con Notes: {}
[Sun Feb 19 16:43:19.872335 2017] [:info] [pid 14898:tid 140451604592384] [client 192.168.0.10:51756] PYNTLM: Handling connection 0x40 from address 192.168.0.10 for GET URI /authtests/ntlm. 0 entries in connection cache.
[Sun Feb 19 16:43:19.872383 2017] [:info] [pid 14898:tid 140451604592384] [client 192.168.0.10:51756] PYNTLM: Cache: {}
[Sun Feb 19 16:43:19.872407 2017] [:info] [pid 14898:tid 140451604592384] [client 192.168.0.10:51756] PYNTLM: Con Notes: {}
[Sun Feb 19 16:43:19.872440 2017] [:info] [pid 14898:tid 140451604592384] [client 192.168.0.10:51756] PYTNLM: Initiating connection to Domain Controller server TESTDC.TESTDOMAIN.COM (domain TESTDOMAIN.COM).
[Sun Feb 19 16:43:19.893372 2017] [:info] [pid 14898:tid 140451596199680] [client 192.168.0.10:51756] PYNTLM: Handling connection 0x41 from address 192.168.0.10 for GET URI /authtests/ntlm. 1 entries in connection cache.
[Sun Feb 19 16:43:19.893477 2017] [:info] [pid 14898:tid 140451596199680] [client 192.168.0.10:51756] PYNTLM: Cache: {64: (IP: TESTDC.TESTDOMAIN.COM:445 Domain: TESTDOMAIN.COM,\n 1487522599)}
[Sun Feb 19 16:43:19.893502 2017] [:info] [pid 14898:tid 140451596199680] [client 192.168.0.10:51756] PYNTLM: Con Notes: {}
[Sun Feb 19 16:43:19.893523 2017] [:info] [pid 14898:tid 140451596199680] [client 192.168.0.10:51756] Unexpected NTLM message Type 3 in new connection from address 192.168.0.10 and URI /authtests/ntlm from id 65
With even more logging:
[Sun Feb 19 18:56:05.543370 2017] [:info] [pid 16406:tid 139620972967680] [client 192.168.0.10:63534] PYNTLM: Handling connection 0x40 from address 192.168.0.10 for GET URI /authtests/ntlm/?1. 0 entries in connection cache.
[Sun Feb 19 18:56:05.543568 2017] [:info] [pid 16406:tid 139620972967680] [client 192.168.0.10:63534] authenhandler Connection (('192.168.0.10', 63534))->(('192.168.0.1', 80)) KA 0
[Sun Feb 19 18:56:05.545014 2017] [:info] [pid 16406:tid 139620972967680] [client 192.168.0.10:63534] PYNTLM: Cache: {}
[Sun Feb 19 18:56:05.545059 2017] [:info] [pid 16406:tid 139620972967680] [client 192.168.0.10:63534] PYNTLM: Con Notes: {}
[Sun Feb 19 18:56:05.545324 2017] [:info] [pid 16406:tid 139620972967680] [client 192.168.0.10:63534] Handle type 1 cache rm, Connection (('192.168.0.10', 63534))->(('192.168.0.1', 80)) KA 0
[Sun Feb 19 18:56:05.545362 2017] [:info] [pid 16406:tid 139620972967680] [client 192.168.0.10:63534] PYTNLM: Initiating connection to Domain Controller server TESTDC.TESTDOMAIN.COM (domain TESTDOMAIN.COM).
[Sun Feb 19 18:56:05.549161 2017] [:info] [pid 16406:tid 139620972967680] [client 192.168.0.10:63534] Handle type 1 cache add, Connection (('192.168.0.10', 63534))->(('192.168.0.1', 80)) KA 0
[Sun Feb 19 18:56:05.567635 2017] [:info] [pid 16406:tid 139620964574976] [client 192.168.0.10:63534] PYNTLM: Handling connection 0x41 from address 192.168.0.10 for GET URI /authtests/ntlm/?1. 1 entries in connection cache.
[Sun Feb 19 18:56:05.567928 2017] [:info] [pid 16406:tid 139620964574976] [client 192.168.0.10:63534] authenhandler Connection (('192.168.0.10', 63534))->(('192.168.0.1', 80)) KA 1
[Sun Feb 19 18:56:05.568094 2017] [:info] [pid 16406:tid 139620964574976] [client 192.168.0.10:63534] PYNTLM: Cache: {64: (IP: TESTDC.TESTDOMAIN.COM:445 Domain: TESTDOMAIN.COM,\n 1487530565)}
[Sun Feb 19 18:56:05.568177 2017] [:info] [pid 16406:tid 139620964574976] [client 192.168.0.10:63534] PYNTLM: Con Notes: {}
[Sun Feb 19 18:56:05.568364 2017] [:info] [pid 16406:tid 139620964574976] [client 192.168.0.10:63534] Authenhandler ntlm_version 3 Connection (('192.168.0.10', 63534))->(('192.168.0.1', 80)) KA 1
[Sun Feb 19 18:56:05.568488 2017] [:info] [pid 16406:tid 139620964574976] [client 192.168.0.10:63534] Unexpected NTLM message Type 3 in new connection from address 192.168.0.10 and URI /authtests/ntlm/?1 from id 65 (('192.168.0.10', 63534))
[Sun Feb 19 18:56:05.568665 2017] [:info] [pid 16406:tid 139620964574976] [client 192.168.0.10:63534] Connection (('192.168.0.10', 63534))->(('192.168.0.1', 80)) KA 1
With workaround:
[Sun Feb 19 19:03:05.519408 2017] [:info] [pid 16518:tid 139972984174336] [client 192.168.0.10:56376] PYNTLM: Handling connection 0x47 from address 192.168.0.10 for GET URI /authtests/ntlm/?1dsdsdsdsds. 0 entries in connection cache.
[Sun Feb 19 19:03:05.519718 2017] [:info] [pid 16518:tid 139972984174336] [client 192.168.0.10:56376] authenhandler Connection (('192.168.0.10', 56376))->(('192.168.0.1', 80)) KA 0
[Sun Feb 19 19:03:05.519767 2017] [:info] [pid 16518:tid 139972984174336] [client 192.168.0.10:56376] PYNTLM: Cache: {}
[Sun Feb 19 19:03:05.519921 2017] [:info] [pid 16518:tid 139972984174336] [client 192.168.0.10:56376] PYNTLM: Con Notes: {}
[Sun Feb 19 19:03:05.534815 2017] [:info] [pid 16518:tid 139972975781632] [client 192.168.0.10:56379] PYNTLM: Handling connection 0x48 from address 192.168.0.10 for GET URI /authtests/ntlm/?1dsdsdsdsds. 0 entries in connection cache.
[Sun Feb 19 19:03:05.535048 2017] [:info] [pid 16518:tid 139972975781632] [client 192.168.0.10:56379] authenhandler Connection (('192.168.0.10', 56379))->(('192.168.0.1', 80)) KA 0
[Sun Feb 19 19:03:05.535094 2017] [:info] [pid 16518:tid 139972975781632] [client 192.168.0.10:56379] PYNTLM: Cache: {}
[Sun Feb 19 19:03:05.535189 2017] [:info] [pid 16518:tid 139972975781632] [client 192.168.0.10:56379] PYNTLM: Con Notes: {}
[Sun Feb 19 19:03:05.535388 2017] [:info] [pid 16518:tid 139972975781632] [client 192.168.0.10:56379] Handle type 1 cache rm, Connection (('192.168.0.10', 56379))->(('192.168.0.1', 80)) KA 0
[Sun Feb 19 19:03:05.535482 2017] [:info] [pid 16518:tid 139972975781632] [client 192.168.0.10:56379] PYTNLM: Initiating connection to Domain Controller server TESTDC.TESTDOMAIN.COM (domain TESTDOMAIN.COM).
[Sun Feb 19 19:03:05.539073 2017] [:info] [pid 16518:tid 139972975781632] [client 192.168.0.10:56379] Handle type 1 cache add, Connection (('192.168.0.10', 56379))->(('192.168.0.1', 80)) KA 0
[Sun Feb 19 19:03:05.544361 2017] [:info] [pid 16518:tid 139972967388928] [client 192.168.0.10:56379] PYNTLM: Handling connection 0x49 from address 192.168.0.10 for GET URI /authtests/ntlm/?1dsdsdsdsds. 1 entries in connection cache.
[Sun Feb 19 19:03:05.544527 2017] [:info] [pid 16518:tid 139972967388928] [client 192.168.0.10:56379] authenhandler Connection (('192.168.0.10', 56379))->(('192.168.0.1', 80)) KA 1
[Sun Feb 19 19:03:05.544711 2017] [:info] [pid 16518:tid 139972967388928] [client 192.168.0.10:56379] PYNTLM: Cache: {'192.168.0.10-56379': (IP: TESTDC.TESTDOMAIN.COM:445 Domain: TESTDOMAIN.COM,\n 1487530985)}
[Sun Feb 19 19:03:05.544743 2017] [:info] [pid 16518:tid 139972967388928] [client 192.168.0.10:56379] PYNTLM: Con Notes: {}
[Sun Feb 19 19:03:05.544868 2017] [:info] [pid 16518:tid 139972967388928] [client 192.168.0.10:56379] Authenhandler ntlm_version 3 Connection (('192.168.0.10', 56379))->(('192.168.0.1', 80)) KA 1
[Sun Feb 19 19:03:05.544984 2017] [:info] [pid 16518:tid 139972967388928] [client 192.168.0.10:56379] Handle type 3 Connection (('192.168.0.10', 56379))->(('192.168.0.1', 80)) KA 1
[Sun Feb 19 19:03:05.545020 2017] [:info] [pid 16518:tid 139972967388928] [client 192.168.0.10:56379] PYNTLM: Proxy: IP: TESTDC.TESTDOMAIN.COM:445 Domain: TESTDOMAIN.COM
[Sun Feb 19 19:03:05.557399 2017] [:notice] [pid 16518:tid 139972967388928] [client 192.168.0.10:56379] PYNTLM: User testuser/TESTDOMAIN has been authenticated to access URI /authtests/ntlm/?1dsdsdsdsds
[Sun Feb 19 19:03:05.557559 2017] [:info] [pid 16518:tid 139972967388928] [client 192.168.0.10:56379] Handle type 3 cache rm Connection (('192.168.0.10', 56379))->(('192.168.0.1', 80)) KA 1
[Sun Feb 19 19:03:05.557818 2017] [:info] [pid 16518:tid 139972967388928] [client 192.168.0.10:56379] PYNTLM: Handling connection 0x49 from address 192.168.0.10 for GET URI /authtests/ntlm/index.html?1dsdsdsdsds. 0 entries in connection cache.
[Sun Feb 19 19:03:05.557945 2017] [:info] [pid 16518:tid 139972967388928] [client 192.168.0.10:56379] authenhandler Connection (('192.168.0.10', 56379))->(('192.168.0.1', 80)) KA 1
[Sun Feb 19 19:03:05.557971 2017] [:info] [pid 16518:tid 139972967388928] [client 192.168.0.10:56379] PYNTLM: Cache: {}
[Sun Feb 19 19:03:05.557994 2017] [:info] [pid 16518:tid 139972967388928] [client 192.168.0.10:56379] PYNTLM: Con Notes: {'NTLM_AUTHORIZED': 'testuser'}
[Sun Feb 19 19:03:05.558017 2017] [:info] [pid 16518:tid 139972967388928] [client 192.168.0.10:56379] PYTNLM: Spurious authentication request on connection 0x49. Method = GET. Content-Length = 0. Headers = ['NTLM <256 base64 characters removed>']
Hey there,
Is it possible to turn off basic authentication, if the authentication didn't automatically work?
I want to suppress the authentication prompt if it didn't work, and show a login screen instead.
Is this possible? Do I have to modify the code?
Thanks
Kelvin
Hello,
we have a error on some machines running Windows7 and Vista. With Windows XP its running fine.
So i think it must be some windows setting which is causing the error.
We already tried the following registry-setting:
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel” to “1”
http://technet.microsoft.com/en-us/library/cc960646.aspx
But the error still appears.
Below you can see the error log.
Do you have a idea what might be the cause?
[Wed Feb 26 10:37:04 2014] [info] [client 172.17.228.107] PYNTLM: Handling connection 0xD for GET URI /. 0 entries in connection cache.
[Wed Feb 26 10:37:04 2014] [info] [client 172.17.228.107] PYTNLM: Initiating connection to Active Directory server 123.123.123.123 (domain DOMAIN) using base DN "DC=DOMAIN,DC=INTERN".
[Wed Feb 26 10:37:04 2014] [info] [client 172.17.228.107] PYNTLM: Handling connection 0xD for GET URI /. 1 entries in connection cache.
[Wed Feb 26 10:37:04 2014] [notice] [client 172.17.228.107] PYNTLM: User ccc/DOMAIN has been authenticated to access URI /
[Wed Feb 26 10:37:04 2014] [error] [client 172.17.228.107] PYNTLM: Unexpected error when checking membership of ccc in groups ['GROUP-NAME'] for URI /:
[Wed Feb 26 10:37:04 2014] [error] [client 172.17.228.107] Incorrect NTLM message in Authorization header for URI /: local variable 'res' referenced before assignment```
setup a user with more than 127 groups, the script checks different groups recursively until it reaches 127, then, when evaluating the 128th, the assert fails:
# python PyAuthenNTLM2/ntlm_client.py -u sevetest -p XXX -d yyyy.ch -g g_HIN_Proxyusers -a ldap://xxxx/DC=yyyy,DC=ch
Using Active Directory (LDAP) to verify credentials.
User sevetest\spital-biel.ch was authenticated.
Traceback (most recent call last):
File "PyAuthenNTLM2/ntlm_client.py", line 333, in <module>
res = proxy.check_membership(member, config['group'])
File "/usr/local/lib/python2.7/dist-packages/PyAuthenNTLM2/ntlm_ad_proxy.py", line 269, in check_membership
if self.check_membership(None,groups,x, tabs+1):
File "/usr/local/lib/python2.7/dist-packages/PyAuthenNTLM2/ntlm_ad_proxy.py", line 269, in check_membership
if self.check_membership(None,groups,x, tabs+1):
File "/usr/local/lib/python2.7/dist-packages/PyAuthenNTLM2/ntlm_ad_proxy.py", line 269, in check_membership
if self.check_membership(None,groups,x, tabs+1):
File "/usr/local/lib/python2.7/dist-packages/PyAuthenNTLM2/ntlm_ad_proxy.py", line 251, in check_membership
resp = self.proto.parse_search_resp(msg)
File "/usr/local/lib/python2.7/dist-packages/PyAuthenNTLM2/ntlm_ad_proxy.py", line 181, in parse_search_resp
messageID, data = parseint(data, True)
File "/usr/local/lib/python2.7/dist-packages/PyAuthenNTLM2/asn1.py", line 130, in parseint
assert (ord(payload[0]) & 0x80) == 0x00
AssertionError
I have tested with different users and it stops by different group names, but always in the 127th. Users with less than 127 groups work fine and users that were not working, work again as soon as the group membership goes below 127. Z.B, user tttt was not working, but now that I have removed some groups, it does:
# python PyAuthenNTLM2/ntlm_client.py -u tttt -p XXX -d yyyy.ch -g g_HIN_Proxyusers -a ldap://xxxx/DC=yyyy,DC=ch
Using Active Directory (LDAP) to verify credentials.
User tttt\yyyy.ch was authenticated.
User tttt belongs to at least one group.
I have tried modifying asn1.py to see what is happening and it seems that the parsing code fails to decode the message: the message ID for the 128th group is not 128 as expected (0x80) but 4294967168 (0xFFFFFF80).
I get the a "Unexpected NTLM message Type 3 in new connection" error when executing a POST request after an indeterminate amount of time on the same page.
The browser then requests a username and password, which doesn't work. (It just keeps requesting a username and password, and clicking cancel gives an unauthorized response).
This happens in Chrome, IE and Firefox.
GET requests all seem to work fine, however long you remain on the page before navigating to another one.
Example from logs:
[Thu Nov 08 10:11:42 2012] [info] [client 10.2.2.58] PYNTLM: Handling connection 0x4 from address 10.2.2.58 for POST URI /admin/general. 0 entries in connection cache., referer: http://iqa/admin/general
[Thu Nov 08 10:11:42 2012] [info] [client 10.2.2.58] PYTNLM: Spurious authentication request on connection 0x4. Method = POST. Content-Length = 0. Headers = {OMITTED}
[Thu Nov 08 10:11:42 2012] [info] [client 10.2.2.58] Unexpected NTLM message Type 3 in new connection from address 10.2.2.58 and URI /admin/general, referer: http://iqa/admin/general
Is there any chance of doing a version that uses mod_wsgi rather than mod_python.
mod_python has been depreciated for quite sometime [http://attic.apache.org/projects/quetzalcoatl.html], and it would be good to be able to use this with Python 2.7.
I configured the latest version from Git HEAD on Ubuntu 10.04 LTS using included Apache, Python, and mod_python versions and got this error message when using IE7 on WinXP:
Incorrect NTLM message in Authorization header from address 172.24.30.115 and URI /foo:
What can this be?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.