Note: You are currently viewing documentation for Moodle 2.4. Up-to-date documentation for the latest stable version of Moodle may be available here: NTLM authentication.

NTLM authentication

From MoodleDocs

This document describes how to set up NTLM/Integrated Authentication in Moodle. It uses a modified version of LDAP Authentication. The NTLM Authentication module is available in the Modules and Plugins database here: http://moodle.org/mod/data/view.php?d=13&rid=314

This Documentation covers how to install it in Moodle 1.6 - for information on how to install the module in Moodle 1.5, please see the readme file in the download.

Assumptions

  1. you are running a MS Active Directory for Authentication.
  2. The Server hosting your website is a member of the Active Directory Domain that your users are also members of.
  3. you are able to define people inside your Network (and authenticated to the Domain) from an IP range or IP range of computers.
  4. you have "some" basic knowledge of php and are able to configure the index.php with the range of internal IP addresses.
  5. you are familar with or have read the LDAP authentication documentation.

Installation

  1. Copy the folder AUTH/NTLM into the AUTH folder of your moodle installation.
  2. Modify the auth/ntlm/index.php file, This file handles which login page to use based on the IP address of the user. if inside your network, they should be directed to the oncampuslogin.php screen. if outside your network, they should be directed to the offcampuslogin.php screen. you will need to modify the if statements in this file to match the IP ranges inside your network.
  3. Turn Integrated Authentication ON and Anonymous Authentication OFF for the moodle\auth\ntlm\oncampuslogin.php file. (see below for more detailed instructions.
  4. Visit the admin page of your moodle installation - you should see notification that the NTLM_AUTH module has been installed.
  5. go to the configuration > variables page, find the dbsessions setting, and set it to "YES" then save the page.
  6. go to the Authentication admin page and select auth_ntlmtitle as your authentication method Note: - this doesn't display full text as I haven't created a language file for this module - you will also see auth_ntlmdescription instead of a proper description - you don't need to worry about this, as you will be the only one who ever sees this.
  7. Configure this page with your normal LDAP settings. NOTE: the Alternate Login URL at the bottom of this page has been set to the NTLM page. - if you wish uninstall this auth module, you must reset this variable on the new authentication type page. eg - if you wish to revert back to manual authentication, then change to manual, and then make sure you delete the alternate login url at the bottom of the page.
  8. (OPTIONAL) modify the offcampuslogin page to give errors when students try to prefix their usercode with your domain.

around line 216 find this code, uncomment all the lines and replace the letters 'DOM' with your domain:

   if (empty($errormsg)) {
       if (strstr(strtolower($frm->username), "DOM\\") <> false) { //NAD - DOM messages.
           $errormsg = get_string("invalidlogin") . " DOM\\ is not required!";
       } else if (strpos($frm->username, "@") <> false) {
           $errormsg = get_string("invalidlogin") . " enter your username - not your e-mail address.";
       } else {
           $errormsg = get_string("invalidlogin");
       }
   }

How to Turn Integrated Authentication on

The File oncampuslogin.php MUST have NTLM/Integrated Authentication enabled at the server or the page will not work.

IIS Configuration

open up IIS, and find the auth/ntlm/oncampuslogin.php file,

  1. right click on the file, choose properties
  2. under the "file security" tab, click on the Authentication and Access control "edit" button
  3. untick "enable anonymous access" and tick "Integrated Windows Authentication"

APACHE Configuration

NOTE: No-one seems to have tested this completely yet - so be careful with this: There are currently 3 possible methods for this:

Using the NTLM part of Samba

1. get the plugin here: http://samba.org/ftp/unpacked/lorikeet/mod_ntlm_winbind/
2. load somthing like this in your http2.conf

   LoadModule ntlm_winbind_module        modules/mod_ntlm_winbind.so 
   
   <Directory "/mnt/hd/website/moodle-test"> 
   
   Options -Indexes FollowSymLinks MultiViews 
   DirectoryIndex   index.php 
   
   AuthName "NTLM Authentication thingy" 
   NTLMAuth on 
   NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" 
   NTLMBasicAuthoritative on 
   AuthType NTLM 
   require valid-user 
   
   </Directory> 

3. this plugin uses a different value than $_SERVER['AUTH_USER'] in oncampuslogin.php you will need to replace all instances of $_SERVER['AUTH_USER'] with $_SERVER['REMOTE_USER'] - this might get fixed in newer versions of the Moodle plugin.
4. Couple of gotchas - in Fedora Core, keep alive is turned OFF by default in the httpd.conf - see this bug for further info: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188138
5. email Dan if you get this working - I'm keen to hear how people go using the samba winbind option!

Using the NTLM Auth Module for Apache

  1. get the Module from: http://modntlm.sourceforge.net/
  2. use something like this in your httpd.conf: http://moodle.org/mod/forum/discuss.php?d=45887#211074

Using the mod_auth_sspi Module for Apache 2

NOTE: This setup is currently being used in a live production environment, and is therefore suitable for such use provided it is correctly configured and tested.

This is the recommended method for Apache 2, and will work on both Linux/UNIX and Windows systems. It provides better stability and higher performance than other NTLM modules.

1. Download the mod_auth_sspi Module from: http://sourceforge.net/projects/mod-auth-sspi/

2. Edit your Apache 2 configuration file (httpd.conf) to load the module.

   <IfModule !mod_auth_sspi.c>
       LoadModule sspi_auth_module modules/mod_auth_sspi.so
   </IfModule>

3. Choose one of the two methods below

Method 1: This method is recommended for servers that will host a single Moodle instance. Configure NTLM from the main configuration file, add the following to httpd.conf (substitute /var/www/moodle with the path to your Moodle installation e.g. "C:/moodle" for Windows or /somewhere/www/moodle for Linux/UNIX)

   <Files /var/www/moodle/auth/ntlm/oncampuslogin.php>
       AuthName "Moodle at My College"
       AuthType SSPI
       SSPIAuth On
       SSPIOfferBasic Off
       SSPIAuthoritative On
       SSPIDomain mycollege.ac.uk
       require valid-user
   </Files>

Method 2: The alternative method is to use a .htaccess file This method is recommended for servers that will host multiple Moodle instances. It allows additional Moodle instances to be configured without restarting apache, and also makes the solution a little more portable.

We need to add a directive to the main httpd.conf to allow configuration of authentication within .htaccess files.

   <Directory /var/www/moodle>
       AllowOverride AuthConfig
   </Directory>

Next, create a new text file named '.htaccess' in the directory '/somewhere/moodle/auth/ntlm' and add the following directives:

   <Files oncampuslogin.php>
       AuthName "Moodle at My College"
       AuthType SSPI
       SSPIAuth On
       SSPIOfferBasic Off
       SSPIAuthoritative On
       SSPIDomain mycollege.ac.uk
       require valid-user
   </Files>

This enables the Moodle folder to be moved to any apache webserver that is configured to allow authentication configuration through .htaccess

For further help and discussion: http://moodle.org/mod/forum/discuss.php?d=56565

Notes/Tips

  1. When using IIS, dbsessions is required to be set to "YES" because when Integrated authentication is turned on for the oncampuslogin.php page, and dbsessions is set to "NO" then the server impersonates the user to write the session in the moodledata\sessions folder. The reccommended fix is to set dbsessions to "YES" so that sessions are stored in the db. The non-reccommended alternative method is to allow domain users write access to the sessions directory.
  2. If you forget to change the internal IP addresses in index.php to your own, you can just use the offcampuslogin url to login using your admin account. eg: http://yoursite.com/moodle/auth/ntlm/offcampuslogin.php

Specific File information

(mainly for developers)

  1. auth\ntlm\index.php
    This is the page used for the Alternate Login URL setting on the config page for the NTLM plugin.
    The index.php file handles which login page to use based on the IP address of the user.
    if inside your network, they should be directed to the oncampuslogin.php screen.
    if outside your network, they should be directed to the offcampuslogin.php screen.
    you will need to modify the if statements in this file to match the IP ranges inside your network.
  2. auth\ntlm\index_form.html
    this is a copy of the file login\index_form.php.
    The only change in this file from the standard one is that the form action="index.php" is changed to form action="offcampuslogin.php" this is because anyone who is displayed the form will be an offcampus user.
  3. auth\ntlm\offcampuslogin.php
    this is a copy of the file moodle\login\index.php with a couple of minor modifications.
    the modifications to this file involve the setting of a variable ($onoroffcampus = "offcampus";) this is used by the auth plugin to define which page is being used for authentication. the other modification is for displaying extra error messages to the user. - with all the authentication methods we have students are constantly confused about how to enter their credentials if you use NTLM authentication elsewhere at your site you will be aware of the users having to enter the domain\username when authenticating. - this code block sits around line 215 in the file.
  4. auth\ntlm\oncampuslogin.php
    this is a copy of the file login\index.php
    This file has been modified to get the details of the authenticated user via NTLM.

See also