Skip to content

Seamless authentication

Rich2k edited this page Apr 15, 2013 · 1 revision

Seamless authentication or Single Sign On (SSO) refers to where the browser does the authentication automatically for the user. No password is sent across the wire, they're all hashes (it's Samba voodoo). The protocol Microsoft uses to provide seamless browser authentation in a windows domain is called NTLM. More information on NTLM and the associated technologies are available at Wikipedia. Both Microsoft Internet Explorer and Mozilla Firefox readily support NTLM.

There are hundreds of ways to do LDAP authentication and just as many Apache modules, but the adLDAP project only covers open source modules and methods that authenticate automatically for the user without the need for third party plugins on the client side.

Seamless authentication methods include:

  • mod_auth_ntlm_winbind (apache/linux)
  • mod_auth_kerb (apache/linux)
  • Apache on Windows with mod_auth_sspi (apache/windows)
  • Use IIS/PHP for everything (iis/windows)
  • Mod_NTLM (apache/linux)
  • Token Authentication with IIS (iis/windows)

mod_auth_ntlm_winbind is the only known production standard solution to this problem. It's not a complete solution though, mod_auth_ntlm_winbind will only give you the logged in user and basic access control to the folder. mod_auth_ntlm_winbind can be used to determine the username of the user, and adLDAP can be used to interact with Active Directory based on the needs of the application (eg. group membership, AD manipulation, etc).

mod_auth_ntlm_winbind

mod_auth_ntlm_winbind is a project coming out of the wonderful world of Samba. Basically mod_auth_ntlm_winbind has taken the reigns for Mod_NTLM because they're probably the most qualified to do so :)

It's not a 5 second answer, but unfortunately the configuration is out of necessity and it does work.

  1. Install Samba 3, Kerberos, SSL (just use apt/up2date/yum/emerge etc)
  2. Configure Kerberos, Winbind, and Samba
  3. Setup Apache and PHP
  4. Setup mod_auth_ntlm_winbind

The fine print: mod_auth_ntlm_winbind does not work over HTTPS, you need to header redirect them to HTTP for authentication, and then header redirect them back into HTTPS

mod_auth_kerb

mod_auth_kerb information is incomplete, people are encouraged to contribute to this area. see the below links for more information

  1. Install Kerberos, SSL (just use apt/up2date/yum/emerge etc)
  2. Configure Kerberos
  3. Setup Apache and PHP
  4. Setup mod_auth_kerb

The fine print: mod_auth_kerb requires you to setup an AD user account with ticket delegation authority for each HTTP domain (eg. if there are 10 domains on the web server, you will need to setup 10 user accounts).

More information on mod_auth_kerb is available at the project website http://modauthkerb.sourceforge.net/ Information on implementing mod_auth_kerb with Active Directory is available at http://grolmsnet.de/kerbtut/

See also: http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/

Here's an example on how to achieve seamless authentication in DokuWiki by using mod_auth_kerb and adLDAP: http://www.dokuwiki.org/auth:ad

Apache on Windows with mod_auth_sspi

mod_auth_sspi can provide seamless authentication for Apache on Windows. It's relatively undocumented though and we haven't tried it, so please refer to http://mod-auth-sspi.sourceforge.net/ for more information.

This configuration is working for me: mod_auth_sspi v1.0.4 Apache v2.2.16 with SSL and I'm using HTTPS. PHP 5.3.3

<Directory "path_to_site">
  Order deny,allow
  Allow from all

  AuthName "Intranet"
  AuthType SSPI
  SSPIAuth On
  SSPIAuthoritative On
  SSPIOfferBasic On
  #BEGIN VERY IMPORTANT prevents IE from dropping post requests
  SSPIPerRequestAuth On
  #END VERY IMPORTANT
  require valid-user

  Options Indexes FollowSymLinks
  AllowOverride All
</directory>

The webserver needs to be connected to the domain.

IIS/PHP

Format the machine and install Linux (recommended), or remove anonymous access from the directory with the IIS management console, the username is available with $_SERVER["LOGON_USER"].

Seamless authentication with Apache on Windows can be achieved with mod-auth-sspi

Token Authentication with IIS

IIS and NTLM authentication “just work”. If you can't skin the cat, find someone else to do it for you. This was really a round-about solution until mod_auth_ntlm_winbind was released.

This is a basic breakdown. Although most people wouldn't use it in production anymore, it's an interesting way of doing authentication.

  1. Find a “pleb” Windows machine for authentication
  2. Install IIS/PHP
  3. Enable OpenSSL in php.ini and restart IIS
  4. Install OpenSSL on the webserver
  5. Generate an RSA key pair
  6. Install Apache/PHP on the webserver (requires OpenSSL support compiled into PHP)
  • The browser arrives at the Apache webserver, generate a random string and store it in the session, encrypt and base64 encode it, and flick them to the IIS webserver with the encoded token.
  • The IIS webserver authenticates them, then decodes and decrypts the token, adds the username to it, encrypts and encodes the new token and flicks them back to the Apache webserver with the new token
  • The Apache webserver decodes and decrypts the token, checks the random string against the one in their session, and then stores their username in the session and redirects to the menu.

Mod_NTLM

Mod_NTLM works, but only some of the time when you're using it in a Windows 2000 or above environment, although it probably works quite well for NT4. There's some issue that prevents it working every time, and when it doesn't authenticate correctly, the user gets a username/password/domain login dialogue. The user keeps putting in their password and you start getting account lockouts, and even when you unlock it you may still not get them in. This may not be Mod_NTLM's fault, I (scott) suspect it's some problem caused by Internet Explorer's header authentication changing between versions, but either way it's not something you could put in production.

The Mod_NTLM project appears to be deprecated by mod_auth_ntlm_winbind

Mod_NTLM is available at http://modntlm.sourceforge.net.