| Author |
|
Roobix
Joined: 26 Sep 2012
Posts: 1
|
 Posted: Wed 26 Sep '12 18:14 Post subject: |
 |
|
Hello all,
I'm working on a side project at work building an intranet. We are using Windows Server 2008, Xampp 1.8, Apache 2.4.2, Joomla 2.5.7
So far I have been able to get the Joomla login system to work with LDAP and people can log into the Joomla site using their regular Windows sign in credentials no problem.
Trying to implement SSO is the part that's giving me some trouble. I added the module Mandeep posted, mod_authnz_sspi. I believe I have it configured correctly as Apache starts without issues.
Joomla site is installed at:
C:/xampp/htdocs/intranet
I added the php code to C:/xampp/htdocs/intranet/index.php
However, when I visit the site, the browser still prompts me for my login information instead automatically signing me in.
Is there something I'm missing or misunderstanding?
Thanks in advance for any help! |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7405
Location: EU, Germany, Next to Hamburg
|
| Posted: Tue 02 Oct '12 17:23 Post subject: |
|
|
in the readme there is a hint to my_cfg.txt
There you find
| Quote: |
# Should you need to force the login prompt, uncomment the next line
# SSPIBasicPreferred On
|
Since you enabled that, I think that is why you get the popup |
|
| Back to top |
|
markw
Joined: 24 Nov 2011
Posts: 7
Location: UK
|
| Posted: Mon 29 Oct '12 13:25 Post subject: |
|
|
I've tried this out on our test server but it looks like it won't be a goer for production just yet. I am finding that when I try to authenticate with Moodle via SSPI the page sometimes fails to load or at other times hangs indefinitely.
I've tried a more basic whoami page which seems to be working as expected, but unfortunately when it comes to full scale application something is going rather wrong.
I tried to register over at Apache Haus Forums to see if I could give any more useful feedback than this, but those forums won't let me register since I have a gmail address (rare I know  ). |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 702
|
| Posted: Mon 29 Oct '12 13:35 Post subject: |
|
|
| The guys from AH are around here at AL, so you can post it here. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
|
| Back to top |
|
neongrau
Joined: 24 Apr 2013
Posts: 8
|
| Posted: Wed 24 Apr '13 11:29 Post subject: |
|
|
| Mandeep wrote: |
Follow these steps to get this working:
...SNIP
|
Hello!
Hoping to get rid of "the type-your-credentials-correctly-at-first-try-or-restart-your-browser" behavior of the old mod_auth_sspi with Apache 2.2.x
i followed Mandeep's instructions but sadly i cannot get the module to work.
When trying to start httpd (via command line) i get this:
| Code: | | httpd: Syntax error on line 112 of D:/apache24/conf/httpd.conf: Can't locate API module structure `sspi_authnz_module' in file D:/apache24/modules/mod_authnz_sspi.so: No error |
I got a Windows Server 2008 (Web Edition) 32-bit
with "httpd-2.4.4-win32-VC9" downloaded from Apache Lounge.
The module i tried to get working is "mod_authnz_sspi-0.1.0a1-2.4.x-x86.zip" which supposedly was built with VC9 as well.
Also tried the VC11 Apache build but absolutely the same error there (didn't really expected this to work but i had to try).
Any idea what i did wrong  Or what i could do?
Regards,
Ralf |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Wed 24 Apr '13 12:08 Post subject: |
|
|
authnz_sspi_module not sspi_authnz_module so you need
LoadModule authnz_sspi_module modules/mod_authnz_sspi.so |
|
| Back to top |
|
neongrau
Joined: 24 Apr 2013
Posts: 8
|
| Posted: Wed 24 Apr '13 13:34 Post subject: |
|
|
interesting, i took the LoadModule line from the mod_auth_sspi.conf example that came with the module.
Thanks alot for that!
I wouldn't have noticed. 
My Proxy-Balancing doesn't yet work but i can at least test the authentication which sadly seems to suffer from the same issue as the old 2.2 Module. When mistyping your login/password you have to restart the browser to get another try *sigh* |
|
| Back to top |
|
neongrau
Joined: 24 Apr 2013
Posts: 8
|
| Posted: Wed 24 Apr '13 14:01 Post subject: |
|
|
Any chance that there is a way to tell Apache to forget the (wrong) credentials and allow another try to login?
Or is this a module issue? |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Wed 24 Apr '13 20:32 Post subject: |
|
|
oops ... typo in the sample conf
Not sure, if this is same issue as mod_auth_sspi on 2.2, I'd assume it's in the module. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7405
Location: EU, Germany, Next to Hamburg
|
| Posted: Thu 25 Apr '13 15:12 Post subject: |
|
|
| neongrau wrote: | Any chance that there is a way to tell Apache to forget the (wrong) credentials and allow another try to login?
Or is this a module issue? |
This is a problem that comes from the HTTP specification (section 15.6):
Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1. does not provide a method for a server to direct clients to discard these cached credentials.
On the other hand, section 10.4.2 says:
If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information.
In other words, you may be able to show the login box again (as @Karsten says), but the browser doesn't have to honor your request - so don't depend on this (mis)feature too much. |
|
| Back to top |
|
neongrau
Joined: 24 Apr 2013
Posts: 8
|
| Posted: Thu 25 Apr '13 15:24 Post subject: |
|
|
So most of all browsers still just ignore the failed login and leave it be.
Only Chrome (at least on OS X) will again offer the login dialog on manual reload.
Firefox, Safari and IE so far will only repeatedly show the 401 error message. |
|
| Back to top |
|
neongrau
Joined: 24 Apr 2013
Posts: 8
|
|
| Back to top |
|
ganeshvenugopal
Joined: 15 Dec 2016
Posts: 1
Location: India
|
| Posted: Fri 16 Dec '16 8:33 Post subject: Will there be a mod_auth_sspi for 2.4? |
|
|
Hi Mandeep,
I have followed the steps that you have mentioned, it is asking for username and password but could not take it further. Please let me know what is missing, it will very helpful if you provide information on this.
Received 403 error:
Forbidden
You don't have permission to access /Insiderqa_calendar/ on this server.
Apache/2.4.23 (Win64) mod_authnz_sspi/0.1.0 PHP/5.6.25 Server at localhost Port 80
My configuration in conf/httpd.conf:
LoadModule authnz_sspi_module modules/mod_authnz_sspi.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
<Directory "D:\wamp64\www\Insiderqa_calendar">
Options None
Require all granted
Order allow,deny
Allow from all
#AuthName "SSPI Protected Place"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIOmitDomain On
Require valid-user
</Directory> |
|
| Back to top |
|
