Views: 2309 (Data available since 06.02.2017)
Last Modified: 10.10.2012

The system supports NTLM authorization by default by including the mod_auth_sspi module in the Apache web server installation. If you do not use Bitrix Environment, or NTLM authorization does not function correctly or at all, do the following.

  1. Ensure that mod_auth_sspi is installed.

    a. If you’re using Bitrix Environment, this module is installed by default. Make sure the following lines exist in .htaccess:

    AuthName "My Intranet"
    AuthType SSPI
    SSPIAuth On
    SSPIPackage NTLM
    SSPIDomain MYDOMAIN
    SSPIPerRequestAuth On 
    SSPIAuthoritative On
    SSPIOfferBasic On
    Require valid-user
    

    If they are commented out, uncomment them. If you cannot find these directives at all, add them to .htaccess.

    b. If you are not using Bitrix Environment, download the mod_auth_sspi module here and put it to the /apache/modules/ directory.

    Add the following line to the httpd.conf file:

    LoadModule sspi_auth_module modules/mod_auth_sspi.so
    

    Add these lines to .htaccess:

    AuthName "My Intranet"
    AuthType SSPI
    SSPIAuth On
    SSPIPackage NTLM
    SSPIDomain MYDOMAIN
    SSPIPerRequestAuth On 
    SSPIAuthoritative On
    SSPIOfferBasic On
    Require valid-user
    
  2. Use phpinfo to find the value of the $_SERVER['REMOTE_USER'] variable. Set the “NTLM Authorization Domain” parameter to this value in the AD/LDAP server settings.

    Another way to get the REMOTE_USER value is to create a page containing a single line:

    <? echo $_SERVER['REMOTE_USER']; ?>
    
    and open it in a web browser.
  3. Check the AD/LDAP module settings: NTLM authorization should be enabled (the "Use NTLM authorization" parameter).
    Finally, open Control Panel > Settings > AD/LDAP and make sure the AD/LDAP server parameters are correct.

Accessing Extranet without NTLM

To enable access to the /extranet/ folder without NTLM authorization:

  1. Add the following lines to .htaccess:
    AuthName "My Intranet"
    AuthType SSPI
    SSPIAuth On
    SSPIPackage NTLM
    SSPIDomain MYDOMAIN
    SSPIPerRequestAuth On
    SSPIAuthoritative On
    SSPIOfferBasic On
    Require valid-user
    
  2. Add the line to /extranet/.htaccess and /bitrix/.htaccess:
    Satisfy any
    
  3. Add the line to /bitrix/admin/.htaccess:
    Satisfy all
    

These directives will set all the public section folders and Control Panel pages to require authorization via NTLM, except for the /extranet/ folder.



Courses developed by «Bitrix», Inc.