NTLM Authorization using Apache NameBased VirtualHosts over SSL

Question

I have a development environment that is fronted via an Apache server. This apache server requires SSL and Centrify-enabled NTLM authentication/authorization with the AD backend, using group access to view the webpages. There will be multiple projects using this environment, so I want to set up Virtual Hosting, which will allow each project to modify their own virtual host with any specific apache modules. The web files will live in /var/www/project1 ; /var/www/project2 ; etc..

I already have the DNS configured properly to point *.domain to the apache server, as well as a wildcard SSL certificate that had the altDNSName field set with *.domain.

The problem is the NTLM authentication piece:

If I point my browser to https://hostname.fqdn/project1/index.html, the NTLM authorization processes exactly as I want. I believe this runs off my default virtual host.

If I instead point my browser to https://project1.domain/index.html, the Apache error logs complain that "User failed NTLM authentication for /index.html. Error: Logon failure.

<VirtualHost ipaddress:443>
    Servername "hostname.fqdn"
    DocumentRoot "/var/www/"

    SSLEngine on
    SSLCertificateFile  /path/to/cert.crt
    SSLCertificateKeyFile   /path/to/cert.key
</VirtualHost>

<VirtualHost ipaddress:443>
    ServerName "project1.domain"
    DocumentRoot "/var/www/project1"

    SSLEngine on
    SSLCertificateFile  /path/to/cert.crt
    SSLCertificateKeyFile   /path/to/cert.key
</VirtualHost>

<Directory "/var/www">
    Options Indexes FollowSymLinks

    SSLRequireSSL

    AllowOverride None

    Order allow,deny
    Allow from all
</Directory>

<Directory "/var/www/project1">
    AuthType CENTRIFYDC

    EnableBasicAuth     false
    EnableKerberosAuth  false
    EnableNtlmAuth      true

    Require group       required_ad_group
</Directory>

I have attempted this with both IE and Firefox, making sure *.domain was in my Local Intranet zone for IE and that the network.automatic-ntlm-auth.trusted-uris and network.negotiate-auth.trusted-uris settings are properly set in Firefox.

I have narrowed it down to the NTLM problem, because if I remove the Centrify directives, the Name-Based Virtual Host works as I would expect. I have tried placing the Directory tag within each Virtual Host, I have also tried using a Location tag, but I have not been able to make any headway.

Answer 1

I would start by making 2 solidly separate VirtualHosts that work as expected, and then work back to a hybrid variety by step changes.

I suspect your 2 VirtualHosts resolve to something like this;

<VirtualHost ipaddress:443>
    Servername "hostname.fqdn"
    DocumentRoot "/var/www/"

    SSLEngine on
    SSLCertificateFile  /path/to/cert.crt
    SSLCertificateKeyFile   /path/to/cert.key

<Directory "/var/www">
    Options Indexes FollowSymLinks

    SSLRequireSSL

    AllowOverride None

    Order allow,deny
    Allow from all
</Directory>

<Directory "/var/www/project1">
    AuthType CENTRIFYDC

    EnableBasicAuth     false
    EnableKerberosAuth  false
    EnableNtlmAuth      true

    Require group       required_ad_group
</Directory>


</VirtualHost>

<VirtualHost ipaddress:443>
    ServerName "project1.domain"
    DocumentRoot "/var/www/project1"

    SSLEngine on
    SSLCertificateFile  /path/to/cert.crt
    SSLCertificateKeyFile   /path/to/cert.key



<Directory "/var/www/project1">
    AuthType CENTRIFYDC

    EnableBasicAuth     false
    EnableKerberosAuth  false
    EnableNtlmAuth      true

    Require group       required_ad_group
</Directory>

</VirtualHost>

So I would test something like that, and then move them out of each other sub-directories, and see what directives are conflicting

Answer 2

After more investigation, it wasn't a problem with the Apache configuration. It seems as though the browser was passing NTLM and Apache was receiving it, but Centrify isn't properly validating it. Now I need to figure out where the breakdown is here, but that's another thread.