Topic: WAMP SSO

[Unix]

I am having WAMP (Windows, Apache, MySQL and PHP) installed on a web server. The
box is available within our organization network only.

I need to implement SSO (Single Sign On) for a tool to be launched for
people of our organization only (intranet users). The tool should be
able to detect automatically which intranet user is currently visiting
our site instead of asking to re-enter organization n/w username /
password. I am not sure how to implement that both at Apache and back
end code side (PHP scripts). Note if I can avail the 'USER' I can do
LDAP validation to authenticate this user.

Can anyone please guide me with some basics?

[wm003]

If you are using apache 2.2.x you can use mod_auth_sspi

Just search the forums for it.

Once enabled you can get the username in the PHP System Var $_SERVER['REMOTE_USER'], e.g. "DOMAIN\USERNAME"

[Unix]

Thanks for the details. It comes of immense useful to me.

Just a little clarification before I start the dev effort my side:

Below are the response headers from our intranet site:

Connection Keep-Alive
Content-Length 0
Content-Type text/html
Date Tue, 11 Sep 2012 06:22:00 GMT
Keep-Alive timeout=5, max=100
Server Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 mod_jk/1.2.27 mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By PHP/5.2.9

As per the various post details in the forums please correct me with details below:

I basically see 2 different links where I can download mod_auth_sspi:

http://sourceforge.net/projects/mod-auth-sspi

http://dev.nosq.com/downloads/mod_auth_sspi/

The sourceforge.net is the one I should use as my Apache version is Apache/2.2.11 (Win32) - Please confirm.

Secondly I need to build this source code file in VC++ IDE.

Also please let me know how to install the same - I mean is there any special steps to deploy it in our web server box?

[wm003]

i am using the precompiled 32 bit 1.0.5 dll from the nosq site since years and works very well for Apache 2.2.x

[Unix]

Thanks just one clarification -

Would mod_auth_sspi would work seamlessly for users coming thru different browsers installed in different OS -

OS -

Linux
MAC
Windows

Browsers -

FireFox
Chrome
IE
Opera
Safari

[James Blond]

it works only with IE on Windows (client side). With some modifications it works on Windows (client side) with Firefox.

You do you authenticate your user on the clients? LDAP? Active Directory?

[Unix]

Thanks for the prompt reply. I can verify either from LDAP or AD either one of them.

Please let me know which one would be more reliable and faster and benefit based upon our organization heterogeneous setup.

[Steffen]

At the Additional download page here is for 2.2.x a mod_auth_sspi-1.0.5-win32. Should work with Apache/2.2.11.

Steffen

[James Blond]

[wm003]

chrome also works since v17

[Unix]

Thanks for all the vital details.

Please confirm which authentication mechanism would be more beneficial - LDAP or AD? For LDAP I can verify user details thru our LDAP server but I am not sure on verifying user via AD - is there much configuration or setup that needs to do done? Will it work for all heterogeneous setup as mentioned below?

[James Blond]

Against AD you use also LDAP from the AD server.
There are some nice examples of LDAP against AD in our forum.
It is supported by almost all browsers if you use AuthType Digest

[Unix]

I have installed Apache/2.2.11 (Win32) and downloaded mod_auth_sspi-1.0.5-win32 from http://www.apachelounge.com/download/win32/modules-2.2/mod_auth_sspi-1.0.5-win32.zip. Unzip it had 3 files:

-- Build with VC9 --.txt
-- For Apache 2.2 Win32 - VC9 or VC10 --.txt
mod_auth_sspi.so

I copied mod_auth_sspi.so to C:\Program Files (x86)\Apache Software Foundation\Apache2.2\modules directory and added the below lines in Apache configuration file:

LoadModule sspi_auth_module modules/mod_auth_sspi.so

But when I tried to restart Apache the operation got failed to start Apache. C:\Program Files (x86)\Apache Software Foundation\Apache2.2\logs\error.log showed nothing - no lines in there?

Un-Commenting the LoadModule of mod_auth_sspi.so make the Apache to re-start fine.

Please let me know if you need any info or I am doing something wrong:

Content of:
-- Build with VC9 --.txt

Build with Visual Studio® 2008 SP1 (VC9) x86
--------------------------------------------

Be sure you have installed the Visual C++ 2008 SP1 Redistributable Package x86,
download and install, if you not have it already, from:

http://www.microsoft.com/download/en/details.aspx?id=5582


Content of
-- For Apache 2.2 Win32 - VC9 or VC10 --.txt

The module works with Apache 2.2 Win32 VC9 or VC10

[Unix]

Issue regarding starting Apache got resolved, I had to do two things:

Properties of files showed me that the windows has enabled a security block cause the file was copied from another computer - removed that security

Remove - file attribute E (Encrypt contents for secure data)

Re-starting after the changes with LoadModule sspi_auth_module modules/mod_auth_sspi.so enabled in Apache configuration file worked.

[Unix]

I have made some good progress but still not able to achieve the objective:

I have below config in my httpd.conf and my Apache is running at port 8181:

<Location /php/>
AuthType SSPI
AuthName "Test Login Script asks for a password:"
SSPIAuth On
SSPIAuthoritative On
SSPIDomain MYDOMAIN
SSPIOfferBasic Off
SSPIOmitDomain Off
SSPIBasicPreferred On
SSPIPerRequestAuth On
Require valid-user
</Location>

The below observations was noticed when I visit http://127.0.0.1:8181/php/:


1. For very first time even though I was already logged into my Org network I was again asked for username / password - is there a way to override this?

2. Every time I log off / shutdown and visit the location I am re-asked to enter my credentials - can this be overcome?

3. If I enter a wrong username then I get an internal server error in IE with below error logs:

[Sat Sep 15 06:55:16 2012] [error] [client 127.0.0.1] (OS 1311)There are currently no logon servers available to service the logon request. : access to /php/ failed, reason: cannot generate server context

Is there a way to overcome this?

4. I am using a PHP script to display some information of the user - is there any standard thing that I should follow?

Other than that for testing I found that once I have entered a username / password during the initial username / password authentication - then until I logoff / reboot my system I cannot make the windows security username / password to re-appear. So if I give a wrong password / user / correct I always keep getting the same result that came after accepting the details in the beginning [username / password]. Hence for testing how can I overcome these configurations?

[James Blond]

You need to set KeepAlive On.

Internet Explorer supports SSO default (last tested with IE7 and mod_sspi).

For Firefox

[list=]
[*]Open Firefox and type “about:config” in the address bar.
[*]In the ‘Filter’ field type the following “ntlm”
[*]Double click the name of the preference that we just searched for
[*]Enter the URLs of the sites you wish to pass NTLM auth info to in the form of: http://localhost
[/list]

Can't say about the other browsers.

I'm not sure if I had SSPIOfferBasic On or Off, but I think it was on.
Also set
SSPIUsernameCase lower


I think it was like ( it has been a while)