# Apache22 with mod_ntlm2 not working



## AndyUKG (Feb 2, 2011)

Hi,

  I'm attempting to get mod_ntlm2 working (I've not previously used it). On a FreeBSD 8.1 server I have installed apache22 and mod_ntlm2 and added a section to the httpd.conf like:


```
<Location />
     AuthName "NTLM Auth"
     AuthType NTLM
     NTLMAuth on
     NTLMAuthoritative on
     NTLMDomain domain
     NTLMServer pdc
     NTLMBackup bdc
     require valid-user
    </Location>
```

With my domain and pdc and bdc hostnames substituted. I have a couple of windows accounts I am testig with, I have tested using windows commands (net use) that these usernames and passwords are valid. However when I attempted to authenticate via a browser it always denies me access, and after a few tries it locks out the windows accounts. The error I am seeing in the apache logs is:


```
[Wed Feb 02 17:36:53 2011] [notice] [client x.x.x.x] send WWW-Authenticate "NTLM TlRMTVNTUAACAAAAGAAYADAAAAAHggEAumj
c+uE2yscAAAAAAAAAAAAAAABIAAAAdgBvAGsAZQBzAGEAaQByAC4AYwBvAG0A", referer: http://x.x.x.x/
[Wed Feb 02 17:36:53 2011] [notice] [client x.x.x.x] got auth_line "TlRMTVNTUAADAAAAGAAYAIIAAABQAFAAmgAAABAAEA
BYAAAADgAOAGgAAAAMAAwAdgAAAAAAAADqAA
AABYIAAgYBsB0AAAAPG0il5C/9srkfmPPMxZsuk3YAbwBrAGUAcwBhAGkAcgBSAFQAQQBkAG0AaQBuA
FAAQQBWAEQAVgA2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN4MKU+bIaQMe7eLipcJ3PkBAQAAAAAA
ABmNq8j/wssBw09SFnwgKuoAAAAAAgAYAHYAbwBrAGUAcwBhAGkAcgAuAGMAbwBtAAAAAAAAAAAA", referer: http://10.120.221.207/
[Wed Feb 02 17:36:53 2011] [notice] [client x.x.x.x] got header with host "workstation", domain "domain", referer: http://x.x.x.x/
[Wed Feb 02 17:36:53 2011] [error] [client x.x.x.x] received msg3 92545680 63783, referer: http://x.x.x.x/
[Wed Feb 02 17:36:53 2011] [error] [client 10.x.x.x] authenticating user against DC 92545680 63783, referer: http://10.120.221.207/
[Wed Feb 02 17:36:53 2011] [error] [client x.x.x.x] NTLM/SMB user "myuser": authentication failure for "/", referer: http://x.x.x.x/
```

Having had a google I couldn't find any similar issues, does anyone have any ideas?

thanks in advance! Andy.


----------



## SirDice (Feb 3, 2011)

What version of Windows are the PDC/BDC?


----------



## AndyUKG (Feb 3, 2011)

They are Windows 2008 R2. They end user has decided to shelve the AD integration for now actually, so as not to slow down the deployment. I'd still be interested if anyone had any ideas what might be the prob though!

thanks Andy.


----------



## SirDice (Feb 3, 2011)

Not sure if it's the case but the newer versions of Windows use a new version of NTLM with improved security. To get it to work you may need to lower this to also allow the previous version of NTLM to authenticate.


----------



## AndyUKG (Feb 3, 2011)

SirDice said:
			
		

> Not sure if it's the case but the newer versions of Windows use a new version of NTLM with improved security. To get it to work you may need to lower this to also allow the previous version of NTLM to authenticate.



Yeah, think you probably nailed the reason there,

http://support.microsoft.com/kb/954387

good call! I did google ntlm (well mod_ntlm :S ) and server 2008 but I didn't see that info...

cheers Andy.


----------

