NTLM Authentication

M

mallett76

Member
Hello,
I created a website for my company, and it had run fine for years.
Then, recently some users were reporting an issue with the site.
Digging into it more, it appears as though the NTLM authentication code doesn't seem to be working on some computers, but it does on others.
Below is the code.
Any ideas/assistance would be greatly appreciated.

$headers = apache_request_headers();

if (!isset($headers['Authorization']))
{
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: NTLM');
exit;
}
// Retrieve the NT LOGIN information
$auth = $headers['Authorization'];

if (substr($auth,0,5) == 'NTLM ')
{
$msg = base64_decode(substr($auth, 5));
if (substr($msg, 0, 8) != "NTLMSSP\x00")
die('error header not recognised');

if ($msg[8] == "\x01")
{
$msg2 = "NTLMSSP\x00\x02"."\x00\x00\x00\x00". // target name len/alloc
"\x00\x00\x00\x00". // target name offset
"\x01\x02\x81\x01". // flags
"\x00\x00\x00\x00\x00\x00\x00\x00". // challenge
"\x00\x00\x00\x00\x00\x00\x00\x00". // context
"\x00\x00\x00\x00\x30\x00\x00\x00"; // target info len/alloc/offset

header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: NTLM '.trim(base64_encode($msg2)));
exit;
}
else if ($msg[8] == "\x03")
{
function get_msg_str($msg, $start, $unicode = true)
{
$len = (ord($msg[$start+1]) * 256) + ord($msg[$start]);
$off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]);
if ($unicode)
return str_replace("\0", '', substr($msg, $off, $len));
else
return substr($msg, $off, $len);
}
$user = get_msg_str($msg, 36);
$domain = get_msg_str($msg, 28);
$workstation = get_msg_str($msg, 44);

// Create sessions, holding the $user, $domain, and $workstation
$_SESSION["meUser"] = $user;
$_SESSION["meDomain"] = $domain;
$_SESSION["meWorkstation"] = $workstation;
}
}

/* echo "Please use the Google Chrome Browser for this site";
echo "<br>";
echo "<br>"; */


$user = $_SESSION["meUser"];
//echo "Welcome: " . $_SESSION["meDomain"] . "\\" . $_SESSION["meUser"];
$meNTLogonWithDomain = $_SESSION["meDomain"] . "\\" . $_SESSION["meUser"];


The error message isn't too telling, it's "Hmmm… can't reach this pageIt looks like the webpage at http://10.163.38.55/neDivCollections/main.php might be having issues, or it may have moved permanently to a new web address."

Believe it is erroring out around header('WWW-Authenticate: NTLM '.trim(base64_encode($msg2)));
 
Sorry for the delay.
When I go to the php error log, I am not seeing it under C:\wamp\logs\php_error.log.
However, I seem to have more information on the C:\wamp\logs\apache_error.log and the C:\wamp\logs\access.log
For the C:\wamp\logs\access.log I see
10.166.77.236 - - [25/Apr/2022:09:02:50 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:09:02:52 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:09:02:54 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:09:02:55 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:09:03:01 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:09:03:02 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:09:03:32 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:09:03:33 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:09:04:33 -0400] "-" 408 -
10.166.77.236 - - [25/Apr/2022:09:04:34 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:09:04:35 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:09:05:34 -0400] "-" 408 -
10.166.77.236 - - [25/Apr/2022:09:09:23 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:09:09:24 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:09:10:23 -0400] "-" 408 -
127.0.0.1 - - [25/Apr/2022:09:12:08 -0400] "GET /wpad.dat HTTP/1.1" 404 304
10.166.77.236 - - [25/Apr/2022:09:14:25 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:09:14:26 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:09:15:25 -0400] "-" 408 -

For the C:\wamp\logs\apache_error.log I see the below:
[Mon Apr 25 03:24:59.037501 2022] [core:error] [pid 3544:tid 1032] [client 24.40.77.255:46186] AH00126: Invalid URI in request GET HTTP/1.1
[Mon Apr 25 03:25:05.197054 2022] [cgi:error] [pid 3544:tid 1032] [client 24.40.77.255:46380] AH02812: attempt to invoke directory as script: C:/wamp/bin/apache/apache2.4.37/cgi-bin/
[Mon Apr 25 03:25:05.417118 2022] [cgi:error] [pid 3544:tid 1032] [client 24.40.77.255:46402] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/phpinfo.php
[Mon Apr 25 03:25:05.464002 2022] [cgi:error] [pid 3544:tid 1020] [client 24.40.77.255:46406] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/info.php
[Mon Apr 25 03:25:05.495254 2022] [cgi:error] [pid 3544:tid 1020] [client 24.40.77.255:46414] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/php.php
[Mon Apr 25 03:25:05.526551 2022] [cgi:error] [pid 3544:tid 1032] [client 24.40.77.255:46422] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/phptest.php
[Mon Apr 25 03:25:05.573435 2022] [cgi:error] [pid 3544:tid 1020] [client 24.40.77.255:46430] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/phpinfo.php3
[Mon Apr 25 03:25:05.604631 2022] [cgi:error] [pid 3544:tid 1020] [client 24.40.77.255:46436] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/info.php3
[Mon Apr 25 03:25:05.635882 2022] [cgi:error] [pid 3544:tid 1012] [client 24.40.77.255:46442] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/php.php3
[Mon Apr 25 03:25:05.682759 2022] [cgi:error] [pid 3544:tid 1032] [client 24.40.77.255:46448] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/phptest.php3
[Mon Apr 25 03:25:05.714005 2022] [cgi:error] [pid 3544:tid 1012] [client 24.40.77.255:46452] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/php_info.php
[Mon Apr 25 03:25:05.760883 2022] [cgi:error] [pid 3544:tid 1032] [client 24.40.77.255:46458] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/phpinfo.php
[Mon Apr 25 03:25:05.807759 2022] [cgi:error] [pid 3544:tid 1032] [client 24.40.77.255:46462] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/info.php
[Mon Apr 25 03:25:05.839008 2022] [cgi:error] [pid 3544:tid 1032] [client 24.40.77.255:46470] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/php.php
[Mon Apr 25 03:25:05.839008 2022] [php7:error] [pid 3544:tid 1012] [client 24.40.77.255:46468] script 'C:/wamp/www/phpinfo.php' not found or unable to stat
[Mon Apr 25 03:25:05.887277 2022] [php7:error] [pid 3544:tid 1032] [client 24.40.77.255:46474] script 'C:/wamp/www/info.php' not found or unable to stat
[Mon Apr 25 03:25:05.887277 2022] [cgi:error] [pid 3544:tid 1012] [client 24.40.77.255:46472] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/phptest.php
[Mon Apr 25 03:25:05.918530 2022] [php7:error] [pid 3544:tid 1012] [client 24.40.77.255:46480] script 'C:/wamp/www/php.php' not found or unable to stat
[Mon Apr 25 03:25:05.918530 2022] [cgi:error] [pid 3544:tid 1032] [client 24.40.77.255:46484] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/phpinfo.php3
[Mon Apr 25 03:25:05.965400 2022] [cgi:error] [pid 3544:tid 1032] [client 24.40.77.255:46490] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/info.php3
[Mon Apr 25 03:25:05.965400 2022] [php7:error] [pid 3544:tid 1020] [client 24.40.77.255:46488] script 'C:/wamp/www/phptest.php' not found or unable to stat
[Mon Apr 25 03:25:05.996653 2022] [php7:error] [pid 3544:tid 1020] [client 24.40.77.255:46496] script 'C:/wamp/www/phpinfo.php3' not found or unable to stat
[Mon Apr 25 03:25:06.012268 2022] [cgi:error] [pid 3544:tid 1012] [client 24.40.77.255:46494] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/phptest.php3
[Mon Apr 25 03:25:06.027911 2022] [php7:error] [pid 3544:tid 1012] [client 24.40.77.255:46500] script 'C:/wamp/www/info.php3' not found or unable to stat
[Mon Apr 25 03:25:06.043531 2022] [cgi:error] [pid 3544:tid 1020] [client 24.40.77.255:46502] AH02811: script not found or unable to stat: C:/wamp/bin/apache/apache2.4.37/cgi-bin/php_info.php
[Mon Apr 25 03:25:06.076055 2022] [php7:error] [pid 3544:tid 1032] [client 24.40.77.255:46506] script 'C:/wamp/www/php.php3' not found or unable to stat
[Mon Apr 25 03:25:06.107317 2022] [php7:error] [pid 3544:tid 1020] [client 24.40.77.255:46512] script 'C:/wamp/www/phptest.php3' not found or unable to stat
[Mon Apr 25 03:25:06.138610 2022] [php7:error] [pid 3544:tid 1032] [client 24.40.77.255:46516] script 'C:/wamp/www/php_info.php' not found or unable to stat
[Mon Apr 25 03:25:06.185486 2022] [php7:error] [pid 3544:tid 1032] [client 24.40.77.255:46520] script 'C:/wamp/www/phpinfo.php' not found or unable to stat
[Mon Apr 25 03:25:06.216699 2022] [php7:error] [pid 3544:tid 1032] [client 24.40.77.255:46524] script 'C:/wamp/www/info.php' not found or unable to stat
[Mon Apr 25 03:25:06.263567 2022] [php7:error] [pid 3544:tid 1032] [client 24.40.77.255:46528] script 'C:/wamp/www/php.php' not found or unable to stat
[Mon Apr 25 03:25:06.294819 2022] [php7:error] [pid 3544:tid 1020] [client 24.40.77.255:46536] script 'C:/wamp/www/phptest.php' not found or unable to stat
[Mon Apr 25 03:25:06.326114 2022] [php7:error] [pid 3544:tid 1020] [client 24.40.77.255:46542] script 'C:/wamp/www/phpinfo.php3' not found or unable to stat
[Mon Apr 25 03:25:06.372943 2022] [php7:error] [pid 3544:tid 1020] [client 24.40.77.255:46546] script 'C:/wamp/www/info.php3' not found or unable to stat
[Mon Apr 25 03:25:06.404240 2022] [php7:error] [pid 3544:tid 1032] [client 24.40.77.255:46552] script 'C:/wamp/www/phptest.php3' not found or unable to stat
[Mon Apr 25 03:25:06.436831 2022] [php7:error] [pid 3544:tid 1032] [client 24.40.77.255:46556] script 'C:/wamp/www/php_info.php' not found or unable to stat
[Mon Apr 25 03:25:08.631869 2022] [authz_core:error] [pid 3544:tid 1020] [client 24.40.77.255:46694] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/
[Mon Apr 25 03:25:08.663169 2022] [authz_core:error] [pid 3544:tid 1012] [client 24.40.77.255:46700] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/phpinfo.php
[Mon Apr 25 03:25:08.709992 2022] [authz_core:error] [pid 3544:tid 1020] [client 24.40.77.255:46710] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/info.php
[Mon Apr 25 03:25:08.741241 2022] [authz_core:error] [pid 3544:tid 1012] [client 24.40.77.255:46716] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/php.php
[Mon Apr 25 03:25:08.772550 2022] [authz_core:error] [pid 3544:tid 1012] [client 24.40.77.255:46720] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/phptest.php
[Mon Apr 25 03:25:08.819377 2022] [authz_core:error] [pid 3544:tid 1020] [client 24.40.77.255:46726] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/phpinfo.php3
[Mon Apr 25 03:25:08.850628 2022] [authz_core:error] [pid 3544:tid 1012] [client 24.40.77.255:46730] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/info.php3
[Mon Apr 25 03:25:08.883102 2022] [authz_core:error] [pid 3544:tid 1020] [client 24.40.77.255:46736] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/php.php3
[Mon Apr 25 03:25:08.929983 2022] [authz_core:error] [pid 3544:tid 1032] [client 24.40.77.255:46740] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/phptest.php3
[Mon Apr 25 03:25:08.976852 2022] [authz_core:error] [pid 3544:tid 1032] [client 24.40.77.255:46744] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/php_info.php
[Mon Apr 25 03:25:09.008113 2022] [authz_core:error] [pid 3544:tid 1020] [client 24.40.77.255:46750] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/phpinfo.php
[Mon Apr 25 03:25:09.054987 2022] [authz_core:error] [pid 3544:tid 1020] [client 24.40.77.255:46758] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/info.php
[Mon Apr 25 03:25:09.086236 2022] [authz_core:error] [pid 3544:tid 1032] [client 24.40.77.255:46760] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/php.php
[Mon Apr 25 03:25:09.117490 2022] [authz_core:error] [pid 3544:tid 1020] [client 24.40.77.255:46764] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/phptest.php
[Mon Apr 25 03:25:09.164412 2022] [authz_core:error] [pid 3544:tid 1032] [client 24.40.77.255:46770] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/phpinfo.php3
[Mon Apr 25 03:25:09.211240 2022] [authz_core:error] [pid 3544:tid 1020] [client 24.40.77.255:46776] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/info.php3
[Mon Apr 25 03:25:09.242492 2022] [authz_core:error] [pid 3544:tid 1020] [client 24.40.77.255:46782] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/phptest.php3
[Mon Apr 25 03:25:09.289368 2022] [authz_core:error] [pid 3544:tid 1020] [client 24.40.77.255:46784] AH01630: client denied by server configuration: C:/wamp/apps/phpmyadmin4.8.4/php_info.php
 
please add this code on the beginning of the php code:
Code: 
ini_set('error_log', './error.log');
whole code:
https://gist.github.com/PphEight/5a1c482aa79d661f524f34d83c4795c8

this code will save all errors in file in current directory so there will be only errors related to this issue.
Then try to reproduce the error, then we will be able to figure out what happened.

The issue occurs for the same users or randomly?
 
Hello,
I added ini_set('error_log', './error.log');
in the beginning of the php script. However, it looks like it unfortunately didn't put the error log in the folder.
The problem appears to be only on certain computers.

Here is the apache access log:
The ip address computer ending in 236 it doesn't seem to like.
The ip address computer ending in 217, it seems to be fine with:

10.166.77.236 - - [25/Apr/2022:12:11:30 -0400] "-" 408 -
10.166.77.236 - - [25/Apr/2022:12:11:31 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:12:11:32 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
10.166.77.236 - - [25/Apr/2022:12:11:56 -0400] "GET /neDivCollections/main.php HTTP/1.1" 200 427
127.0.0.1 - - [25/Apr/2022:12:12:09 -0400] "GET /wpad.dat HTTP/1.1" 404 304
10.166.77.236 - - [25/Apr/2022:12:12:57 -0400] "-" 408 -
147.191.55.217 - - [25/Apr/2022:12:20:56 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
147.191.55.217 - - [25/Apr/2022:12:20:57 -0400] "GET /neDivCollections/main.php HTTP/1.1" 401 1534
147.191.55.217 - - [25/Apr/2022:12:20:57 -0400] "GET /neDivCollections/main.php HTTP/1.1" 200 2687
147.191.55.217 - - [25/Apr/2022:12:21:56 -0400] "-" 408 -
127.0.0.1 - - [25/Apr/2022:12:22:09 -0400] "GET /wpad.dat HTTP/1.1" 404 304
 
Do you knom more about these ip addresses? Do you know what user it is and which browser they use?

Try to create error.log file manually and set the permission to write by all
 
The server should be restarted to ensure that the changes to the ini file take effect.
 
I added the C:\wamp\www\neDivCollections\error.log to the folder where the file exists, and unfortunately, I am not seeing an error.
I intentionally put some bad syntax as a test in the C:\wamp\www\neDivCollections\main.php (the main.php file is the one that I have an issue with), and I did see an error in the C:\wamp\logs\php_error.log - so it makes me think that the error isn't a php coding error, but an apache error.
As far as the ip addresses go, the 147.191.55.217 is my computer in the office. The
10.166.77.236 is my laptop. I tried my laptop in the office, the
10.166.77.236 - and it still didn't work though.
I have tested both computers on the same browsers. Chrome and edge I believe.
Also, I used the code that you had posted from the link earlier.
And, it seems to error as soon as it hits the header('HTTP/1.1 401 Unauthorized');
If I put an exit right before the header('HTTP/1.1 401 Unauthorized'); - I do not have an issue - but of course it doesn't show me the username, which is what I need.

exit; //Does not error when exits here
header('HTTP/1.1 401 Unauthorized');

*************** CODE BELOW *************
$headers = apache_request_headers();

if (!isset($headers['Authorization']))
{
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: NTLM');
exit;
}

// Retrieve the NT LOGIN information
$auth = $headers['Authorization'];

if (substr($auth,0,5) == 'NTLM ')
{
$msg = base64_decode(substr($auth, 5));
if (substr($msg, 0, 8) != "NTLMSSP\x00")
{
die('error header not recognised');
}

if ($msg[8] == "\x01")
{
$msg2 = "NTLMSSP\x00\x02"."\x00\x00\x00\x00". // target name len/alloc
"\x00\x00\x00\x00". // target name offset
"\x01\x02\x81\x01". // flags
"\x00\x00\x00\x00\x00\x00\x00\x00". // challenge
"\x00\x00\x00\x00\x00\x00\x00\x00". // context
"\x00\x00\x00\x00\x30\x00\x00\x00"; // target info len/alloc/offset
exit; //Does not error when exits here
header('HTTP/1.1 401 Unauthorized');

header('WWW-Authenticate: NTLM '.trim(base64_encode($msg2)));
exit;
}
else if ($msg[8] == "\x03")
{
function get_msg_str($msg, $start, $unicode = true)
{
$len = (ord($msg[$start+1]) * 256) + ord($msg[$start]);
$off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]);
if ($unicode)
{
return str_replace("\0", '', substr($msg, $off, $len));
}
else
{
return substr($msg, $off, $len);
}
}

$user = get_msg_str($msg, 36);
$domain = get_msg_str($msg, 28);
$workstation = get_msg_str($msg, 44);

// Create sessions, holding the $user, $domain, and $workstation
$_SESSION["meUser"] = $user;
$_SESSION["meDomain"] = $domain;
$_SESSION["meWorkstation"] = $workstation;
}
}

/* echo "Please use the Google Chrome Browser for this site";
echo "<br>";
echo "<br>"; */


$user = $_SESSION["meUser"];
//echo "Welcome: " . $_SESSION["meDomain"] . "\\" . $_SESSION["meUser"];
$meNTLogonWithDomain = $_SESSION["meDomain"] . "\\" . $_SESSION["meUser"];

?>
 
Let's tdo that in another way.
In the directory create a log directory.
After first if statement, where we kniw the auth header is set add this code:
Code: 
$logFile = './log/' . time() . '.log';
$logContent = var_export($headers, true);
file_put_contents($logFile, $logContent);
Then wait for errors, with the whole header we will be able to repeat the request and find the issue
 
Been struggling with this issue for some time, so am happy to report that I made at least some progress. Using your suggestion, I was able to create a log file. Here were the results:

array (
'Host' => 'localhost',
'Connection' => 'keep-alive',
'sec-ch-ua' => '" Not A;Brand";v="99", "Chromium";v="100", "Microsoft Edge";v="100"',
'sec-ch-ua-mobile' => '?0',
'sec-ch-ua-platform' => '"Windows"',
'Upgrade-Insecure-Requests' => '1',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.50',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Sec-Fetch-Site' => 'same-origin',
'Sec-Fetch-Mode' => 'navigate',
'Sec-Fetch-User' => '?1',
'Sec-Fetch-Dest' => 'document',
'Referer' => 'http://localhost/nedivcollections/?C=M;O=D',
'Accept-Encoding' => 'gzip, deflate, br',
'Accept-Language' => 'en-US,en;q=0.9',
)


***************************************************************************

Below was the code that I used

<?php

$headers = apache_request_headers();

if (!isset($headers['Authorization']))
{
/* Added these next 3 lines of code on 4/27/22 to try to create a log file */
$logFile = './log/' . time() . '.log';
$logContent = var_export($headers, true);
file_put_contents($logFile, $logContent);

header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: NTLM');
exit;
}

// Retrieve the NT LOGIN information
$auth = $headers['Authorization'];

if (substr($auth,0,5) == 'NTLM ')
{
$msg = base64_decode(substr($auth, 5));
if (substr($msg, 0, 8) != "NTLMSSP\x00")
{
die('error header not recognised');
}

if ($msg[8] == "\x01")
{
$msg2 = "NTLMSSP\x00\x02"."\x00\x00\x00\x00". // target name len/alloc
"\x00\x00\x00\x00". // target name offset
"\x01\x02\x81\x01". // flags
"\x00\x00\x00\x00\x00\x00\x00\x00". // challenge
"\x00\x00\x00\x00\x00\x00\x00\x00". // context
"\x00\x00\x00\x00\x30\x00\x00\x00"; // target info len/alloc/offset
#exit; //Does not error when exits here
#COMMENTED OUT ON 4/26/22 header('HTTP/1.1 401 Unauthorized');

#COMMENTED OUT ON 4/26/22 header('WWW-Authenticate: NTLM '.trim(base64_encode($msg2)));
echo $msg;
echo "<br>";
echo $msg[8];
exit;
}
else if ($msg[8] == "\x03")
{
function get_msg_str($msg, $start, $unicode = true)
{
$len = (ord($msg[$start+1]) * 256) + ord($msg[$start]);
$off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]);
if ($unicode)
{
return str_replace("\0", '', substr($msg, $off, $len));
}
else
{
return substr($msg, $off, $len);
}
}

$user = get_msg_str($msg, 36);
$domain = get_msg_str($msg, 28);
$workstation = get_msg_str($msg, 44);

// Create sessions, holding the $user, $domain, and $workstation
$_SESSION["meUser"] = $user;
$_SESSION["meDomain"] = $domain;
$_SESSION["meWorkstation"] = $workstation;
}
}

/* echo "Please use the Google Chrome Browser for this site";
echo "<br>";
echo "<br>"; */


$user = $_SESSION["meUser"];
//echo "Welcome: " . $_SESSION["meDomain"] . "\\" . $_SESSION["meUser"];
$meNTLogonWithDomain = $_SESSION["meDomain"] . "\\" . $_SESSION["meUser"];

?>
 
I was not enough precise, when I wrote after the if statement I mean after the closing the bracket of the if statement, not inside of that. So we have the header of unauthorized user :(

This is the code that you need to get the header with the Authorization entry:
Code: 
<?php

$headers = apache_request_headers();

if (!isset($headers['Authorization']))
{    
    header('HTTP/1.1 401 Unauthorized');
    header('WWW-Authenticate: NTLM');
    exit;
}

/* Added these next 3 lines of code on 4/27/22 to try to create a log file */
$logFile = './log/' . time() . '.log';
$logContent = var_export($headers, true);
file_put_contents($logFile, $logContent);

// Retrieve the NT LOGIN information
$auth = $headers['Authorization'];

if (substr($auth,0,5) == 'NTLM ')
{
    $msg = base64_decode(substr($auth, 5));
    if (substr($msg, 0, 8) != "NTLMSSP\x00")
    {
        die('error header not recognised');
    }
    
    if ($msg[8] == "\x01")
    {
        $msg2 = "NTLMSSP\x00\x02"."\x00\x00\x00\x00". // target name len/alloc
        "\x00\x00\x00\x00". // target name offset
        "\x01\x02\x81\x01". // flags
        "\x00\x00\x00\x00\x00\x00\x00\x00". // challenge
        "\x00\x00\x00\x00\x00\x00\x00\x00". // context
        "\x00\x00\x00\x00\x30\x00\x00\x00"; // target info len/alloc/offset
        #exit; //Does not error when exits here
        #COMMENTED OUT ON 4/26/22 header('HTTP/1.1 401 Unauthorized');
        
        #COMMENTED OUT ON 4/26/22 header('WWW-Authenticate: NTLM '.trim(base64_encode($msg2)));
        echo $msg;
        echo "<br>";
        echo $msg[8];
        exit;
    }
    else if ($msg[8] == "\x03")
    {
        function get_msg_str($msg, $start, $unicode = true)
        {
            $len = (ord($msg[$start+1]) * 256) + ord($msg[$start]);
            $off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]);
            if ($unicode)
            {
                return str_replace("\0", '', substr($msg, $off, $len));
            }
            else
            {
                return substr($msg, $off, $len);
            }
        }
        
        $user = get_msg_str($msg, 36);
        $domain = get_msg_str($msg, 28);
        $workstation = get_msg_str($msg, 44);
        
        // Create sessions, holding the $user, $domain, and $workstation
        $_SESSION["meUser"] = $user;
        $_SESSION["meDomain"] = $domain;
        $_SESSION["meWorkstation"] = $workstation;
    }
}

/* echo "Please use the Google Chrome Browser for this site";
echo "<br>";
echo "<br>"; */


$user = $_SESSION["meUser"];
//echo "Welcome: " . $_SESSION["meDomain"] . "\\" . $_SESSION["meUser"];
$meNTLogonWithDomain = $_SESSION["meDomain"] . "\\" . $_SESSION["meUser"];

Maybe I am boring you, but I want to mentioned again that the code with right indentation is easier to work with it :)
 
Here is the updated log, with the newly suggested code:

array (
'Host' => 'localhost',
'Connection' => 'keep-alive',
'Authorization' => 'NTLM TlRMTVNTUAABAAAAB7IIogUABQA2AAAADgAOACgAAAAKAGFKAAAAD05ITUFOTC1GMjg4VFEyQ0FCTEU=',
'sec-ch-ua' => '" Not A;Brand";v="99", "Chromium";v="100", "Microsoft Edge";v="100"',
'sec-ch-ua-mobile' => '?0',
'sec-ch-ua-platform' => '"Windows"',
'Upgrade-Insecure-Requests' => '1',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.50',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Sec-Fetch-Site' => 'same-origin',
'Sec-Fetch-Mode' => 'navigate',
'Sec-Fetch-User' => '?1',
'Sec-Fetch-Dest' => 'document',
'Referer' => 'http://localhost/nedivcollections/?C=M;O=D',
'Accept-Encoding' => 'gzip, deflate, br',
'Accept-Language' => 'en-US,en;q=0.9',
)
 
I moved the logging to other place to log next step

Code: 
<?php

$headers = apache_request_headers();

if (!isset($headers['Authorization']))
{    
    header('HTTP/1.1 401 Unauthorized');
    header('WWW-Authenticate: NTLM');
    exit;
}

// Retrieve the NT LOGIN information
$auth = $headers['Authorization'];

if (substr($auth,0,5) == 'NTLM ')
{
    $msg = base64_decode(substr($auth, 5));
    if (substr($msg, 0, 8) != "NTLMSSP\x00")
    {
        die('error header not recognised');
    }
    
    if ($msg[8] == "\x01")
    {
        $msg2 = "NTLMSSP\x00\x02"."\x00\x00\x00\x00". // target name len/alloc
        "\x00\x00\x00\x00". // target name offset
        "\x01\x02\x81\x01". // flags
        "\x00\x00\x00\x00\x00\x00\x00\x00". // challenge
        "\x00\x00\x00\x00\x00\x00\x00\x00". // context
        "\x00\x00\x00\x00\x30\x00\x00\x00"; // target info len/alloc/offset
        #exit; //Does not error when exits here
        header('HTTP/1.1 401 Unauthorized');
        header('WWW-Authenticate: NTLM '.trim(base64_encode($msg2)));
        exit;

        echo $msg;
        echo "<br>";
        echo $msg[8];
        exit;
    }
    else if ($msg[8] == "\x03")
    {
        /* Added these next 3 lines of code on 4/27/22 to try to create a log file */
        $logFile = './log/' . time() . '.log';
        $logContent = var_export($headers, true);
        file_put_contents($logFile, $logContent);
        
        function get_msg_str($msg, $start, $unicode = true)
        {
            $len = (ord($msg[$start+1]) * 256) + ord($msg[$start]);
            $off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]);
            if ($unicode)
            {
                return str_replace("\0", '', substr($msg, $off, $len));
            }
            else
            {
                return substr($msg, $off, $len);
            }
        }
        
        $user = get_msg_str($msg, 36);
        $domain = get_msg_str($msg, 28);
        $workstation = get_msg_str($msg, 44);
        
        // Create sessions, holding the $user, $domain, and $workstation
        $_SESSION["meUser"] = $user;
        $_SESSION["meDomain"] = $domain;
        $_SESSION["meWorkstation"] = $workstation;
    }
}

/* echo "Please use the Google Chrome Browser for this site";
echo "<br>";
echo "<br>"; */


$user = $_SESSION["meUser"];
//echo "Welcome: " . $_SESSION["meDomain"] . "\\" . $_SESSION["meUser"];
$meNTLogonWithDomain = $_SESSION["meDomain"] . "\\" . $_SESSION["meUser"];
 
Hello,
Here is the log of a computer without an issue. And, further below is the log of the computer with the issue.

array (
'Host' => '10.30.118.9',
'Connection' => 'keep-alive',
'Authorization' => 'NTLM TlRMTVNTUAADAAAAGAAYAJAAAAA4ADgAqAAAAAoACgBYAAAAEgASAGIAAAAcABwAdAAAAAAAAADgAAAABQAAAgoAYUoAAAAPG8jX/OIAuEG9QS5fHgmDe0MAQQBCAEwARQBQAE0AYQBsAGwAZQAwADAAMQBOAEgATQBBAE4ARAAtADEAQwBTADMAMQBUADIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkLa1hGw/+daDYQsGKR0CnAEBAAAAAAAALxll+kVa2AFahNUlVR81eQAAAAACAAAAAAAAAAAAAAA=',
'Upgrade-Insecure-Requests' => '1',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Accept-Encoding' => 'gzip, deflate',
'Accept-Language' => 'en-US,en;q=0.9',
)

**********************************************************

Log of computer with an issue

array (
'Host' => 'localhost',
'Connection' => 'keep-alive',
'Cache-Control' => 'max-age=0',
'Authorization' => 'NTLM TlRMTVNTUAABAAAAB7IIogUABQA2AAAADgAOACgAAAAKAGFKAAAAD05ITUFOTC1GMjg4VFEyQ0FCTEU=',
'sec-ch-ua' => '" Not A;Brand";v="99", "Chromium";v="100", "Microsoft Edge";v="100"',
'sec-ch-ua-mobile' => '?0',
'sec-ch-ua-platform' => '"Windows"',
'Upgrade-Insecure-Requests' => '1',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.50',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Sec-Fetch-Site' => 'same-origin',
'Sec-Fetch-Mode' => 'navigate',
'Sec-Fetch-User' => '?1',
'Sec-Fetch-Dest' => 'document',
'Referer' => 'http://localhost/nedivcollections/?C=M;O=D',
'Accept-Encoding' => 'gzip, deflate, br',
'Accept-Language' => 'en-US,en;q=0.9',
)
 
Sorry, I think I overlooked the post where you mentioned next step.

I used the code you posted for the next step, and the code yielded the below results for the computer that is having the issue.

Here are the log results regarding this code, where the log file is lower:

" else if ($msg[8] == "\x03")
{
/* Added these next 3 lines of code on 4/27/22 to try to create a log file */
$logFile = './log/' . time() . '.log';
$logContent = var_export($headers, true);
file_put_contents($logFile, $logContent);"

array (
'Host' => 'localhost',
'Connection' => 'keep-alive',
'Cache-Control' => 'max-age=0',
'Authorization' => 'NTLM TlRMTVNTUAABAAAAB7IIogUABQA2AAAADgAOACgAAAAKAGFKAAAAD05ITUFOTC1GMjg4VFEyQ0FCTEU=',
'sec-ch-ua' => '" Not A;Brand";v="99", "Chromium";v="100", "Microsoft Edge";v="100"',
'sec-ch-ua-mobile' => '?0',
'sec-ch-ua-platform' => '"Windows"',
'Upgrade-Insecure-Requests' => '1',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.50',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Sec-Fetch-Site' => 'same-origin',
'Sec-Fetch-Mode' => 'navigate',
'Sec-Fetch-User' => '?1',
'Sec-Fetch-Dest' => 'document',
'Referer' => 'http://localhost/nedivcollections/?C=M;O=D',
'Accept-Encoding' => 'gzip, deflate, br',
'Accept-Language' => 'en-US,en;q=0.9',
)
 
Sorry - made a mistake.

Using the below code(where the log file is posted further below) on the computer that there is an issue with, there wasn't a log created.

<?php

$headers = apache_request_headers();

if (!isset($headers['Authorization']))
{
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: NTLM');
exit;
}

// Retrieve the NT LOGIN information
$auth = $headers['Authorization'];

if (substr($auth,0,5) == 'NTLM ')
{
$msg = base64_decode(substr($auth, 5));
if (substr($msg, 0, 8) != "NTLMSSP\x00")
{
die('error header not recognised');
}

if ($msg[8] == "\x01")
{
$msg2 = "NTLMSSP\x00\x02"."\x00\x00\x00\x00". // target name len/alloc
"\x00\x00\x00\x00". // target name offset
"\x01\x02\x81\x01". // flags
"\x00\x00\x00\x00\x00\x00\x00\x00". // challenge
"\x00\x00\x00\x00\x00\x00\x00\x00". // context
"\x00\x00\x00\x00\x30\x00\x00\x00"; // target info len/alloc/offset
#exit; //Does not error when exits here
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: NTLM '.trim(base64_encode($msg2)));
exit;

echo $msg;
echo "<br>";
echo $msg[8];
exit;
}
else if ($msg[8] == "\x03")
{
/* Added these next 3 lines of code on 4/27/22 to try to create a log file */
$logFile = './log/' . time() . '.log';
$logContent = var_export($headers, true);
file_put_contents($logFile, $logContent);

function get_msg_str($msg, $start, $unicode = true)
{
$len = (ord($msg[$start+1]) * 256) + ord($msg[$start]);
$off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]);
if ($unicode)
{
return str_replace("\0", '', substr($msg, $off, $len));
}
else
{
return substr($msg, $off, $len);
}
}

$user = get_msg_str($msg, 36);
$domain = get_msg_str($msg, 28);
$workstation = get_msg_str($msg, 44);

// Create sessions, holding the $user, $domain, and $workstation
$_SESSION["meUser"] = $user;
$_SESSION["meDomain"] = $domain;
$_SESSION["meWorkstation"] = $workstation;
}
}

/* echo "Please use the Google Chrome Browser for this site";
echo "<br>";
echo "<br>"; */


$user = $_SESSION["meUser"];
//echo "Welcome: " . $_SESSION["meDomain"] . "\\" . $_SESSION["meUser"];
$meNTLogonWithDomain = $_SESSION["meDomain"] . "\\" . $_SESSION["meUser"];
?>

********************************************************

Log results of the computer that does work:

array (
'Host' => 'localhost',
'Connection' => 'keep-alive',
'Cache-Control' => 'max-age=0',
'Authorization' => 'NTLM TlRMTVNTUAADAAAAGAAYAJAAAAA4ADgAqAAAAAoACgBYAAAAEgASAGIAAAAcABwAdAAAAAAAAADgAAAABQAAAgoAYUoAAAAPb8w9yiMWpDT4pWqY/iLkQ0MAQQBCAEwARQBQAE0AYQBsAGwAZQAwADAAMQBOAEgATQBBAE4ARAAtADEAQwBTADMAMQBUADIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQK2dHZpoxXw4p70DIHCXowEBAAAAAAAAb/62Rl9a2AFmBNZWnXOqYgAAAAACAAAAAAAAAAAAAAA=',
'sec-ch-ua' => '" Not A;Brand";v="99", "Chromium";v="100", "Microsoft Edge";v="100"',
'sec-ch-ua-mobile' => '?0',
'sec-ch-ua-platform' => '"Windows"',
'Upgrade-Insecure-Requests' => '1',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.50',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Sec-Fetch-Site' => 'same-origin',
'Sec-Fetch-Mode' => 'navigate',
'Sec-Fetch-User' => '?1',
'Sec-Fetch-Dest' => 'document',
'Referer' => 'http://localhost/nedivcollections/?C=M;O=D',
'Accept-Encoding' => 'gzip, deflate, br',
'Accept-Language' => 'en-US,en;q=0.9',
'Cookie' => 'PHPSESSID=nk619p2fenvr3bc8alr2inll8n',
)
 
When I post the error log further down, the log file is not created and the web page has the following error, on the web page, but not in the log file, as a log file isn't created.

Hmmm… can't reach this page It looks like the webpage at http://localhost/nedivcollections/newNtlmTest.php might be having issues, or it may have moved permanently to a new web address.
ERR_UNEXPECTED
 
I tested it locally on php8 and:
- firefox required additional configuration to works with NTLM, by default it prompt for credentials, but when i apply empty then I saw right data
- on Edge v100 on win10 (the same configuration as one of log with issue) it works fine for me,

The issue occurs on php5 or only on php7?
Do you change something else than php version?

It looks like issue not related to php, but to the user configuration.
Can you contact with anyone who have issue?
Try to check this:
https://docs.microsoft.com/en-us/answers/questions/476913/disable-windows-authentication-passthrough-in-chro.html
 
PHP version is 7.2.14. I have not tested it out on
other PHP versions. I am only using 7.2.14
When I test on firefox, it prompts me for the username and password on both the new computer and the bad computer. As far the other questions go, will need to get back to you.

Log files

Good computer

array (
'Host' => '10.30.19.89',
'Connection' => 'keep-alive',
'Authorization' => 'NTLM TlRMTVNTUAADAAAAGAAYAJAAAAA4ADgAqAAAAAoACgBYAAAAEgASAGIAAAAcABwAdAAAAAAAAADgAAAABQAAAgoAYUoAAAAPLxmdnxr0VLdDZGu4YaGjlEMAQQBCAEwARQBQAE0AYQBsAGwAZQAwADAAMQBOAEgATQBBAE4ARAAtADEAQwBTADMAMQBUADIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiaXws3YsUA1ks2F6HJYBTQEBAAAAAAAAwxuwigxb2AHvNt1KMlZF0wAAAAACAAAAAAAAAAAAAAA=',
'Upgrade-Insecure-Requests' => '1',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Accept-Encoding' => 'gzip, deflate',
'Accept-Language' => 'en-US,en;q=0.9',
)

Bad computer

array (
'Host' => '10.30.19.89',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language' => 'en-US,en;q=0.5',
'Accept-Encoding' => 'gzip, deflate',
'Connection' => 'keep-alive',
'Upgrade-Insecure-Requests' => '1',
'Authorization' => 'NTLM TlRMTVNTUAADAAAAGAAYAIYAAAA4ADgAngAAAAAAAABYAAAAEgASAFgAAAAcABwAagAAAAAAAADWAAAABQAAAgoAYUoAAAAPfSX4mAQ3+swZmo9H5mtxX3AATQBhAGwAbABlADAAMAAxAE4ASABNAEEATgBEAC0AMQBDAFMAMwAxAFQAMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJCBYtbc3i8RJj97eBoiJwAQEAAAAAAACJ1oWdDFvYAQiH1QJCsiMoAAAAAAIAAAAAAAAAAAAAAA==',
)
 
You must log in or register to reply here.
Back
Top