logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: Will there be a mod_auth_sspi for 2.4? Page Previous  1, 2
Author
Roobix



Joined: 26 Sep 2012
Posts: 1

PostPosted: Wed 26 Sep '12 18:14    Post subject: Reply with quote

Hello all,

I'm working on a side project at work building an intranet. We are using Windows Server 2008, Xampp 1.8, Apache 2.4.2, Joomla 2.5.7

So far I have been able to get the Joomla login system to work with LDAP and people can log into the Joomla site using their regular Windows sign in credentials no problem.

Trying to implement SSO is the part that's giving me some trouble. I added the module Mandeep posted, mod_authnz_sspi. I believe I have it configured correctly as Apache starts without issues.

Joomla site is installed at:
C:/xampp/htdocs/intranet

I added the php code to C:/xampp/htdocs/intranet/index.php

However, when I visit the site, the browser still prompts me for my login information instead automatically signing me in.
Is there something I'm missing or misunderstanding?

Thanks in advance for any help!
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Tue 02 Oct '12 17:23    Post subject: Reply with quote

in the readme there is a hint to my_cfg.txt

There you find

Quote:

# Should you need to force the login prompt, uncomment the next line
# SSPIBasicPreferred On


Since you enabled that, I think that is why you get the popup
Back to top
markw



Joined: 24 Nov 2011
Posts: 7
Location: UK

PostPosted: Mon 29 Oct '12 13:25    Post subject: Reply with quote

I've tried this out on our test server but it looks like it won't be a goer for production just yet. I am finding that when I try to authenticate with Moodle via SSPI the page sometimes fails to load or at other times hangs indefinitely.

I've tried a more basic whoami page which seems to be working as expected, but unfortunately when it comes to full scale application something is going rather wrong.

I tried to register over at Apache Haus Forums to see if I could give any more useful feedback than this, but those forums won't let me register since I have a gmail address (rare I know Razz).
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 677

PostPosted: Mon 29 Oct '12 13:35    Post subject: Reply with quote

The guys from AH are around here at AL, so you can post it here.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Mon 29 Oct '12 21:26    Post subject: Reply with quote

See the solution posted here and if that helps you.

http://sourceforge.net/projects/mod-auth-sspi/forums/forum/550583/topic/4868892

This same solution is posted here but I can not find it at the moment.
Back to top
neongrau



Joined: 24 Apr 2013
Posts: 8

PostPosted: Wed 24 Apr '13 11:29    Post subject: Reply with quote

Mandeep wrote:

Follow these steps to get this working:
...SNIP


Hello!

Hoping to get rid of "the type-your-credentials-correctly-at-first-try-or-restart-your-browser" behavior of the old mod_auth_sspi with Apache 2.2.x
i followed Mandeep's instructions but sadly i cannot get the module to work.

When trying to start httpd (via command line) i get this:
Code:
httpd: Syntax error on line 112 of D:/apache24/conf/httpd.conf: Can't locate API module structure `sspi_authnz_module' in file D:/apache24/modules/mod_authnz_sspi.so: No error


I got a Windows Server 2008 (Web Edition) 32-bit
with "httpd-2.4.4-win32-VC9" downloaded from Apache Lounge.

The module i tried to get working is "mod_authnz_sspi-0.1.0a1-2.4.x-x86.zip" which supposedly was built with VC9 as well.

Also tried the VC11 Apache build but absolutely the same error there (didn't really expected this to work but i had to try).

Any idea what i did wrong Question Or what i could do?

Regards,
Ralf
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Wed 24 Apr '13 12:08    Post subject: Reply with quote

authnz_sspi_module not sspi_authnz_module so you need
LoadModule authnz_sspi_module modules/mod_authnz_sspi.so
Back to top
neongrau



Joined: 24 Apr 2013
Posts: 8

PostPosted: Wed 24 Apr '13 13:34    Post subject: Reply with quote

interesting, i took the LoadModule line from the mod_auth_sspi.conf example that came with the module.

Thanks alot for that!
I wouldn't have noticed. Embarassed

My Proxy-Balancing doesn't yet work but i can at least test the authentication which sadly seems to suffer from the same issue as the old 2.2 Module. When mistyping your login/password you have to restart the browser to get another try *sigh*
Back to top
neongrau



Joined: 24 Apr 2013
Posts: 8

PostPosted: Wed 24 Apr '13 14:01    Post subject: Reply with quote

Any chance that there is a way to tell Apache to forget the (wrong) credentials and allow another try to login?

Or is this a module issue?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Wed 24 Apr '13 20:32    Post subject: Reply with quote

oops ... typo in the sample conf

Not sure, if this is same issue as mod_auth_sspi on 2.2, I'd assume it's in the module.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Thu 25 Apr '13 15:12    Post subject: Reply with quote

neongrau wrote:
Any chance that there is a way to tell Apache to forget the (wrong) credentials and allow another try to login?

Or is this a module issue?


This is a problem that comes from the HTTP specification (section 15.6):

Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1. does not provide a method for a server to direct clients to discard these cached credentials.

On the other hand, section 10.4.2 says:

If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information.

In other words, you may be able to show the login box again (as @Karsten says), but the browser doesn't have to honor your request - so don't depend on this (mis)feature too much.
Back to top
neongrau



Joined: 24 Apr 2013
Posts: 8

PostPosted: Thu 25 Apr '13 15:24    Post subject: Reply with quote

So most of all browsers still just ignore the failed login and leave it be.

Only Chrome (at least on OS X) will again offer the login dialog on manual reload.
Firefox, Safari and IE so far will only repeatedly show the 401 error message.
Back to top
neongrau



Joined: 24 Apr 2013
Posts: 8

PostPosted: Thu 04 Jul '13 14:25    Post subject: Reply with quote

Company i work for now has a working 2.4 module which solved all our issues.

If your interested see this thread:

http://www.apachelounge.com/viewtopic.php?p=25073
Back to top
ganeshvenugopal



Joined: 15 Dec 2016
Posts: 1
Location: India

PostPosted: Fri 16 Dec '16 8:33    Post subject: Will there be a mod_auth_sspi for 2.4? Reply with quote

Hi Mandeep,

I have followed the steps that you have mentioned, it is asking for username and password but could not take it further. Please let me know what is missing, it will very helpful if you provide information on this.

Received 403 error:
Forbidden

You don't have permission to access /Insiderqa_calendar/ on this server.
Apache/2.4.23 (Win64) mod_authnz_sspi/0.1.0 PHP/5.6.25 Server at localhost Port 80

My configuration in conf/httpd.conf:

LoadModule authnz_sspi_module modules/mod_authnz_sspi.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so

<Directory "D:\wamp64\www\Insiderqa_calendar">
Options None
Require all granted
Order allow,deny
Allow from all
#AuthName "SSPI Protected Place"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIOmitDomain On
Require valid-user
</Directory>
Back to top


Reply to topic   Topic: Will there be a mod_auth_sspi for 2.4? View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules Page Previous  1, 2