SharePoint SSO/NTLM From Apache

One does not simply make an intranet php application on an Ubuntu based Apache server load inside a Sharepoint Web Part with auto-magic Windows/LDAP authentication over NTLM. Okay... It is actually possible.

I figured out the special sauce to get this happening. And, I'm giving you a cohesive and simple Ubuntu based way to magically setup your intranet site. This will use the Integrated Windows Auth in Internet Explorer, Chrome and Firefox on Windows devices. Otherwise, it will fallback to a Basic Auth popup.

Please note: I still hold Microsoft responsible for any headaches you may face or if this doesn't work in your environment. There may be a better way (i.e. you could protect only a single page redirect and still allow manual login from the web app). This is what I could come up within a short time frame. If there is a better way, please share because you care.

Step 1:

You'll need Samba and Winbind.

$ sudo apt-get install samba winbind smbfs

In /etc/samba/smb.conf

workgroup = WORKGROUP
realm = DOMAINNAME 
security = ADS #if using Active Directory
encrypt passwords = true

Restart Samba and Join Active Directory (expect a prompt for Administrator password)

$ sudo restart smbd
$ sudo restart nmbd
$ sudo net ads join -U Administrator

Step 2:

In /etc/nsswitch.conf (add "winbind" to these lines)

passwd: compat winbind
group: compat winbind

Start/Restart Winbind service

$ sudo service winbind start

Test Winbind

wbinfo -g
wbinfo -u

Add www-data to the group winbindd_priv on Winbind (assuming the apache user is still www-data; also depends on winbind install what the group is called)

$ sudo adduser www-data winbindd_priv

Step 3:

Install the NTLM Winbind module for apache.

$ sudo apt-get install libapache2-mod-auth-ntlm-winbind

Edit the config file for your Apache site (i.e. /etc/apache2/sites-enabled/000-default)

   <Directory "/var/www/auth/ldap/">
       <Files ntlm.php>
           NTLMAuth on
           AuthName "NTLM Authentication"
           NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
           NTLMBasicAuthoritative on
           AuthType NTLM
           require valid-user
       </Files>
   </Directory>

Enable the NTLM Winbind module for apache.

$ sudo a2enmod auth_ntlm_winbind
$ sudo service apache2 restart

References:

• NTLM Authentication - Moodle Docs
• An explanation from Kieran Barnes