Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: mod_auth_sspi not getting $_SERVER['REMOTE_USER'] |
|
| Author |
|
geme4472
Joined: 08 Feb 2013
Posts: 1
Location: Minnesota
|
 Posted: Fri 08 Feb '13 19:25 Post subject: mod_auth_sspi not getting $_SERVER['REMOTE_USER'] |
 |
|
I know there's been a million posts on mod_auth_sspi. I've read them all, and some of them twice. However, I'm somehow still struggling to get $_SERVER['REMOTE_USER'] passed through to PHP, where I intend to use that information as the beginning of an auto-authentication script. My question is very similar to https://www.apachelounge.com/viewtopic.php?t=403
Here's the skinny. I've got a small WAMP-based application running behind a client's firewall. I'm using xampp: Apache 2.2.11, mod_auth_sspi 1.0.4, PHP 5.2.9. When I log into that server via VPN, I can see very clearly that I'm logging in as CLIENTDOMAIN\username. When I secure a location, /test.php, I'm served a 401.
Here's my declaration in httpd.conf
| Code: |
<directory "C:\xampp\htdocs\production">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order Allow,Deny
Allow from all
</directory>
<Location /test.php>
AuthName "Please input your domain username and password"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOmitDomain On
SSPIOfferBasic Off
SSPIBasicPreferred Off # basic authentication should have higher priority
SSPIUsernameCase lower
SSPIPerRequestAuth Off # keeps apache from writing errors
SSPIOfferSSPI On
Require valid-user
</Location>
|
The only thing the php script is supposed to do is spit back $_SERVER, but as I stated above, I'm only getting a 401. On the upside, I'm not getting prompted with a login screen.
I've configured IE7 with the app url in the Intranet zone and done the same with FF's ntlm options in about:config.
When I look at headers in FF, it's very clear that the back/forth for NTLM is happening. Each request is actually three requests, with the third filling the Authentication: NTLM header.
Thanks in advance... I'm nearly bald trying to figure this out. ANY advice is appreciated
Here's the header output (from FF - note that I put the linebreaks in the auth header). You can see it terminate with a 401:
| Code: |
https://clientapp.clientdomain.com/test.php
GET /test.php HTTP/1.1
Host: clientapp.clientdomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: lastSetting=Global%20Settings; token=a373496066f04c95c256223936186e3951c30b6bb20d0799ad03dfc6d78c226a.
0.00694444444444.4077442212; SESSf0a253849276b3837530d0913f468709=480540695b1103dd8
Cache-Control: max-age=0
HTTP/1.1 401 Authorization Required
Date: Fri, 08 Feb 2013 17:17:25 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i mod_auth_sspi/1.0.4 PHP/5.2.9
WWW-Authenticate: NTLM
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
----------------------------------------------------------
https://clientapp.clientdomain.com/test.php
GET /test.php HTTP/1.1
Host: clientapp.clientdomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: lastSetting=Global%20Settings; token=a373496066f04c95c256223936186e3951c30b6bb20d0799ad03dfc6d78c226a.0.00694444444444.4077442212; SESSf0a253849276b35b1103dfc56d211d2bf672d8
Cache-Control: max-age=0, max-age=0
Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==
HTTP/1.1 401 Authorization Required
Date: Fri, 08 Feb 2013 17:17:26 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i mod_auth_sspi/1.0.4 PHP/5.2.9
WWW-Authenticate: NTLM TlRMTVNTUAACAAAAFgAWADgAAAAFgomi3S2h+JgyCZMAAAAAAAAAAL4AvgBOAAAABgByFwAAAA9EAEUATABPAEkA
VABUAEUARgBFAEQAAgAWAEQARQBMAE8ASQBUAFQARQBGAEUARAABABQAVQBTAEYARQBEADcANQAwADIANQAEAB4A
ZABlAGwAbwBpAHQAdABlAGYAZQBkAC4AYwBvAG0AAwA0AFUAUwBGAEUARAA3ADUAMAAyADUALgBkAGUAbABvAGkA
dAB0AGUAZgBlAGQALgBjAG8AbQAFAB4AZABlAGwAbwBpAHQAdABlAGYAZQBkAC4AYwBvAG0ABwAIAIyOZiogBs4B
AAAAAA==
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
----------------------------------------------------------
https://clientapp.clientdomain.com/test.php
GET /test.php HTTP/1.1
Host: clientapp.clientdomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: lastSetting=Global%20Settings; token=a373496066f04c95c256223936186e3951c30b6bb20d0799ad03dfc6d78c226a.0.00694444444444.4077442212; SESSf0a253849276b383753fc56d211d2bf672d8
Cache-Control: max-age=0, max-age=0, max-age=0
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJYAAAAuAS4BrgAAABYAFgBYAAAAFAAUAG4AAAAUABQAggAAAAAAAADcAQAABYKIogY
AchcAAAAPLsytDLPt60pyWD/nA2Y9pEQARQBMAE8ASQBUAFQARQBGAEUARABHAHIAZQBnAC4ARQByAHYAaQBuAF
UAUwBGAEUARAA3ADUAMAAyADUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATg1SRuZqtpF/2BYxI0CN7wEBAAAAAAAAjI5mKiAGzgGzlDxr/EdppgAAAAACABYARABFAEwATwBJAFQAVABFAEYARQBEAAEAFABVAFMARgBFAEQANwA1ADAAMgA1AAQAHgBkAGU
AbABvAGkAdAB0AGUAZgBlAGQALgBjAG8AbQADADQAVQBTAEYARQBEADcANQAwADIANQAuAGQAZQBsAG8AaQB0AH
QAZQBmAGUAZAAuAGMAbwBtAAUAHgBkAGUAbABvAGkAdAB0AGUAZgBlAGQALgBjAG8AbQAHAAgAjI5mKiAGzgEGA
AQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAACxEIHnvTrzzqRoaaYm8eLNE6TTYOdm2GaxLtb7JsXD0AAAAAAAAA
AAAAAAA=
HTTP/1.1 401 Authorization Required
Date: Fri, 08 Feb 2013 17:17:26 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i mod_auth_sspi/1.0.4 PHP/5.2.9
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
----------------------------------------------------------
|
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Mon 04 Mar '13 17:10 Post subject: |
|
|
The only way I got it running was
| Code: |
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIOmitDomain On
Require valid-user
|
Don't ask why, but on some of my servers its on other it doesn't and that with the exact same config.
Since that happened often and sspi has some serious security issue, I use ldap. |
|
| Back to top |
|
|
|
|
|
|
