Auth Troubleshooting

This guide aims to answer the question "Help, my authentication isn't working! What's wrong?". It is specific to the latest stable branch of Apache HTTPD, version 2.2.

For more detailed reference information, see: http://httpd.apache.org/docs/2.2/howto/auth.html

Should I use .htaccess for access control?

Generally, no. There is a very common misconception that htaccess files are needed for authentication and authorisation, propped up by countless misleading guides and unfortunate naming conventions. This troubleshooter assumes that you are using the server's main configuration file(s), which is recommended whenever possible. Information for htaccess users follows later for those forced to use this mechanism.

Basic Example

This example requires a password for access to any resource on a site.

  # (other modules)
  LoadModule authn_file_module modules/mod_authn_file.so
  LoadModule authz_user_module modules/mod_authz_user.so
  LoadModule auth_basic_module modules/mod_auth_basic.so
  # (other modules)
  # (rest of the config)
  NameVirtualHost *:80
  <VirtualHost *:80>
    ServerName example.com
    DocumentRoot /svr/www/example.com
    <Location />
      AuthName "Secret Widgets"
      AuthType Basic
      AuthUserFile /etc/httpd/passwords
      Require valid-user

In order for this configuration to work, the file /etc/httpd/passwords must be created using the htpasswd utility. See htpasswd -h for help on its available options (in particular, note that the -c option should be used exactly once per file, to create the passwords file).

Users of Debian or Ubuntu Linux operating systems should check that the module configuration files for each of the three modules listed above have been symlinked from the mods-available directory to mods-enabled.

My browser continuously prompts for a password but it's never accepted!

The relevant error log should explain why this is happening. Common errors are:

The password you are attempting to use is incorrect.

Make sure the path to the AuthUserFile is a correct, absolute filesystem path.

Ensure that the user account under which apache runs is able to read the password file, and is able to access (+x) all of the file's parent directories.

Blah blah windows doesn't have crypt() or something. Use md5 instead.

Make sure mod_authn_file is loaded. This is a common problem for Debian users who upgrade from version 2.0 to 2.2 as the new/changed auth modules aren't automatically enabled.

Load your modules, silly.

My browser doesn't prompt for a password

Check context etc.

My password is accepted but I get a Permission Denied error

Check Satisfy or other permissions errors in the log.

Troubleshooting for .htaccess users

These instructions are for untrusted users who are forced to use htaccess files.

I'm not being asked for a password

If you don't get a 500 Internal Server Error, your server is not looking for htaccess files. Ask your administrator to enable AllowOverride AuthConfig for the directory containing your htaccess file.

Alternatively, it could be that your htaccess file is in the wrong directory, or is misnamed (check for leading or trailing spaces in the file name).

My password is never accepted

In addition to the instructions noted above for administrators able to edit the main server config, htaccess users should ensure that the path specified in the AuthUserFile directive is a full filesystem path, and not relative to the site's root or the htaccess file.

AuthTroubleshooter (last edited 2009-09-20 22:13:35 by localhost)