[Page 1, 2 Next]

Topic: Will there be a mod_auth_sspi for 2.4?

[1]

Topic: Will there be a mod_auth_sspi for 2.4?

[PipoDeClown]

see title

[James Blond]

I don't think so. There no develoment since a longer time. There is no longer a required function the module uses in the new Apache.

Also there are some security bugs in it.

example

[glsmith]

Credit given where credit due ... me

I've talked with the maintainer of this module about this bug and that is is not compatible with 2.4.x, we'll see if he ever gets around to it.

EDIT: changed "author" to "maintainer" since neither of the maintainers are the original author from what I know.

[James Blond]

[spsellars]

Are there any alternatives to mod_auth_sspi which will work with Apache 2.4 (using Integrated Windows Authentication)?

Unfortunately, requiring our intranet users to manually enter their usernames/passwords isn't an option, so the ldap module won't work for us. And the Kerberos modules only seem implemented on *nix systems.

The only alternative I can come up with for now is forwarding requests to a separate IIS server, starting a session with the AUTH_USER variable from there, and forwarding back to the original page. For obvious reasons I'd prefer not to go that route.

Hoping I'm missing an obvious alternative. Any ideas?

[PipoDeClown]

i'd stick with the 2.2 where sspi is working.

[markw]

Hi Folks,

We're using auth_sspi on our server but would love to move up to Apache 2.4. I was just wondering if there have been any developments in this regard yet?

Thanks!

[glsmith]

There has, but it's far from finished and it's been two months now since the was any work done to it.

[markw]

[glsmith]

Actually, to be honest, I am just assuming it's going to be 2.4 compatible. The one dev that did the 2.0.5-beta is moving to the authnz style (what the difference is I do not know) and since 2.4 is out, I would hope it's going to be 2.4 compatable.

http://mod-auth-sspi.svn.sourceforge.net/viewvc/mod-auth-sspi/branches/mod_authnz_sspi/

I talked to one of the maintainer's of record for this and he's busy with libCurl at the moment, there's a new release of that coming I guess, then he wants a break.

I'll keep hinting to him about this thought since my server that I keep some modules on, this one is the most downloaded (a few a day).

[markw]

Ah ok, that makes sense then. Thanks for your efforts and the information.

[glsmith]

Friday, August 24, 2012 12:44 AM PST

I should have one out sometime this weekend.

I've built it in x86 & x64, I've tested it in x86 so far. It doesn't work on XP, that is for sure. It is working fine on my Vista x86 however. I'll be testing it on Win7 x64 maybe tomorrow (well today since it's almost 1am here).

[wm003]

Great News! Thanks a lot for your effort.

Our company still has a lot of XP-developer machines until next summer (yes, we will finally upgrade to Win7!) , but as long as it works unter Windows Server 2003 (maybe not, because of XP-Kernal?) and Windows Server 2008, i am really looking forward to that, so i can finally test and migrate to apache 2.4.x

[Mandeep]

Hi glsmith and wm003,

Did anyone of you managed to get it working? I have a live server working fine with mod_auth_sppi on Apache 2.2. Its been in place for about 3 years and works like a charm.

However as part of server upkeep and maintenance, we decided to upgrade t Apache 2.4 and PHP 5.4 with new instance of mysql. One of the key requirements for intranet users is the need to auto login. Mod_auth_sspi is something I need desperately to be working with 2.4 for this upgrade to happen. Can you guys please put me in the right direction if you managed to implement this successfully!

Many Thanks
Mandeep

[PipoDeClown]

found a binary on Apachehaus for 2.4
https://www.apachehaus.net/modules/mod_authnz_sspi/
havent tested it myself yet

[Mandeep]

Hi,

I have now managed to get it working. It needed few tweaks but finally managed to automatically log the users on to the intranet.

If anyone needs help with this, contact me.

I will soon put some config and sample code together and post it here.

Regards
Mandeep

[James Blond]

Please post your code

[Mandeep]

So, Just to give everyone a refresher on this. With Apache 2.2 the mod_auth_sspi.so module can be used to auto login users by getting their AD credentials ( logged on user on the client machine). This method is very useful when you are working on an intranet.

With Apache2.4 this module is broken and does not work. If you are upgrading to 2.4 and need this to work, you have to make some changes. The below steps are for windows 2008 R2, Running Apache 2.4 (32 bit version)

Follow these steps to get this working:

1: Download the module from here
https://www.apachehaus.net/modules/mod_authnz_sspi/
(x86 for 32 bit and x64 for 64 bit apache)
2: Copy the mod_authnz_sspi.so from Apache24>>modules folder and place it in the modules folder of your Apache folder on your webserver
3: Under the httpd.conf file (Config file for your apache) place this line of code. Try to load this as the last module
LoadModule authnz_sspi_module modules/mod_authnz_sspi.so
4: Make sure that the following modules are uncommented
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
PS:- both the above modules are required for this to work.
5: Place the following code in your httpd.conf file
<Directory "path/to/your/secure/folder">
Options None
AllowOverride All
Order allow,deny
Allow from all
#AuthName "SSPI Protected Place"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIOmitDomain On
Require valid-user
</Directory>
6: Restart your apache servive and hopefully it should restart without any issues.

7: Now in order to recognise the user , use the following code on a php page (index/main page for internal users)

$cred = explode('\\',$_SERVER['REMOTE_USER']);
if (count($cred) == 1) array_unshift($cred, "(no domain info - perhaps SSPIOmitDomain is On)");
list($domain, $user) = $cred;

echo "You appear to be user <B>$user</B><BR/>";
echo "logged into the Windows NT domain <B>$domain</B><BR/>";

You should now be able to see the logged on user. Once this is completed you can write SQL/MYSQL queries to identify the user type and redirect them to their appropriate pages/section of the intranet. I would set the Session variables once I have identified the user and queries their information to personalise their intranet pages.

Hope this will be helpful and save people several hours of effort.

Regards
Mandeep

[James Blond]

The auth config is the old one. The my_cfg.txt in the zip shows the new one from apache 2.4

[glsmith]

Nice to have some confirmation this module works, thank you!

As James said, this is the old 2.2 style access control:
Order allow,deny
Allow from all

In 2.4, that can still be used if and only if mod_access_compat is loaded (which is the default it seems), but if you start using the new style of access granting throughout your config, you can remove the access_compat module, save a shred or two of ram and probably gain a little performance since it doesn't have to be translated every request.

Require all granted

does the same in 2.4 as 2.2's
Order allow,deny
Allow from all