| Author |
|
ShaIT
Joined: 25 May 2016
Posts: 4
Location: Italy
|
 Posted: Wed 16 Nov '16 20:14 Post subject: Help with SSO and authentication if denied with auth_ntlm |
 |
|
Hello,
I'm trying to make SSO and authorization to access on specific folder if an user belongs to a specific group.
- If the user is authorized the sso and authorization working right
- If the user is not authorized (so he don't belong to the group) a basic authentication or wna on browser will be showed and I don't want to show that bu simply an unauthorized page (like ErrorDocument 401).
So it seems that some retry is enbled on authentication showing authentication request like basic authentication form.
What do you think, how can i fix it?
I'm usisng apache 2.4 on windows server 2012 and the modules used is:
LoadModule auth_ntlm_module modules/mod_authn_ntlm.so
the config is :
<Directory "C:/myssopage">
AllowOverride None
DirectoryIndex page.php
AuthName "My SSO page"
AuthType SSPI
NTLMAuth On
NTLMOfferNTLM On
NTLMOfferBasic Off
NTLMDomain mydomainShaIT
NTLMAuthoritative Off
NTLMChainAuth Off
<RequireAll>
<RequireAny>
require sspi-group "mydomainShaIT\mygroup"
</RequireAny>
</RequireAll>
Require sspi-group
# use this to add the authenticated username to you header
# so any backend system can fetch the current user
# rewrite_module needs to be loaded then
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X_ISRW_PROXY_AUTH_USER %{RU}e
ErrorDocument 401 "<html><h1>My SSO page</h1><h2>Sorry, you don't have permission</h2>contact webmaster@mydomainShaIT.com for access or information</html>"
</Directory>
logs:
[Fri Oct 28 18:10:34.959297 2016] [auth_ntlm:debug] [pid 5716:tid 1840] mod_ntlm_authentication.c(560): SSPI00001: Entering authenticate_sspi_user()
[Fri Oct 28 18:10:34.959297 2016] [auth_ntlm:debug] [pid 5716:tid 1840] mod_ntlm_authentication.c(702): SSPI00009: Authenticated user: mydomainShaIT\\myuserShaIT
[Fri Oct 28 18:10:34.959297 2016] [auth_ntlm:error] [pid 5716:tid 1840] SSPI00003: access to /myssopage/ failed, reason: user 'mydomainShaIT\\myuserShaIT' does not meet 'require'ments for user to be allowed access
[Fri Oct 28 18:10:34.959297 2016] [auth_ntlm:debug] [pid 5716:tid 1840] mod_ntlm_authorization.c(124): SSPI00006: Access to /myssopage/ failed, reason: inconsistent SSPI record
[Fri Oct 28 18:10:34.959297 2016] [authz_core:error] [pid 5716:tid 1840] AH01631: user mydomainShaIT\\myuserShaIT: authorization failure for "/myssopage/":
[Wed Nov 16 16:50:11.684558 2016] [auth_ntlm:debug] [pid 1792:tid 1840] mod_ntlm_authorization.c(107): SSPI00005: Access to /myssopage failed, reason: No user authenticated
Thanks |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Wed 16 Nov '16 21:40 Post subject: |
|
|
I'm thinking that you are not quite familiar with Apache's default of RequireAny. Any Require statement outside of any <Require*> tag defaults to RequireAny.
You have a second Require sspi-group outside of the <RequireAll/Any> containers which because of the default, ends up along side your first Require directive as RequireAny. So even though the first one fails, the second one is what is popping up the prompt.
Fix I think should simply be getting rid of the second one and you can also get rid of the <Require*> containers and just leave the first Require sspi-group "mydomainShaIT\mygroup" in place. This is only a guess based on other types of auth however since I do not have much experience with mod_authn_ntml. |
|
| Back to top |
|
TPL
Joined: 25 Mar 2014
Posts: 24
Location: Germany, Hamburg
|
| Posted: Fri 18 Nov '16 11:42 Post subject: |
|
|
I use the following configuration on win 2012 R2:
| Code: |
# Mod Authn NTLM
# SOURCE https://www.apachehaus.com/cgi-bin/download.plx
# +++++++HARDENING-INFO++++++++++++++++++
# Security Settings - Local Policies - Security Options
# - Network security: Restrict NTLM: Incoming NTLM traffic --> "Allow all"
# +++++++++++++++++++++++++++++++++
<Location /MyFolder/>
AuthName "MyFolder-Secure"
AuthType SSPI
NTLMAuth On
NTLMAuthoritative On
<RequireAll>
<RequireAny>
require sspi-group "DOMAIN\GROUP"
#require sspi-user DOMAIN\USER1 DOMAIN\USER2
</RequireAny>
<RequireNone>
Require user "ANONYMOUS LOGON"
Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"
</RequireNone>
</RequireAll>
# use this to add the authenticated username to you header
# so any backend system can fetch the current user
# rewrite_module needs to be loaded then
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X_ISRW_PROXY_AUTH_USER %{RU}e
</Location>
|
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Sat 19 Nov '16 10:02 Post subject: |
|
|
| Did you replace DOMAIN\GROUP with your real domain and group? |
|
| Back to top |
|
TPL
Joined: 25 Mar 2014
Posts: 24
Location: Germany, Hamburg
|
| Posted: Mon 21 Nov '16 10:17 Post subject: |
|
|
yes, of course. this is only my example for using auth_ntlm. in my environment everything works fine.
not really sure what ShaIT want to do. A combination of SSO and Basic-Authentication? |
|
| Back to top |
|
ShaIT
Joined: 25 May 2016
Posts: 4
Location: Italy
|
| Posted: Tue 22 Nov '16 15:59 Post subject: |
|
|
Thanks for all your replies.
About Require your are right but after some days working on it something appears not visible at my eyes.
I will try the code suggested and thanks to share it with me.
My goal is to allow authentication and SSO so the users shouldn't insert manually their credential and with my code is working , what is not working is taht when the user don't belong to the group no authentication popup will be displayed and a 401 custom page is displayed.
Tahnks |
|
| Back to top |
|
ShaIT
Joined: 25 May 2016
Posts: 4
Location: Italy
|
| Posted: Tue 22 Nov '16 19:44 Post subject: |
|
|
Hi tried the code you shared with me but in that way i lost the SSO on client.
My code work well for that, the only issue is if the user is not enabled .. |
|
| Back to top |
|
