Geek Answers Handbook

Disable input requests in mod_auth_sspi_1.0.4-2.2.2

What am I trying to do:

  • Create a homepage on our corporate intranet that automatically captures the registered Windows username for the person viewing the page without when the user asks for these credentials when loading the page.

  • Currently, I just want it to capture the local username, as there will be some time before our IT guys get the domain setup. For example, right now I want him to write "(PC-Name) \ windows.user.name" without any hints.

Environment:

  • Apache 2.2.21 on Windows 7 x64 (will be on CentOS after its creation).

  • PHP 5.3.8 (VC9-ZTS).

  • Internet Explorer 9.0.8x and Firefox 6.0.2 (later will worry about Chrome).

  • The current test page is just a PHP script call print_r ($ _SERVER).

  • To keep things simple, the directory in which I am testing this is not VirtualHost.

The steps that I have done so far:

  • We downloaded mod_sspi_1.0.4-2.2.2 from SourceForge and extracted the mod_auth_sspi.so file into the Apache modules directory.

  • Added module declaration:

    LoadModule sspi_auth_module modules / mod_auth_sspi.so

  • Added directory definition:

    AllowOverride No Options No Allow order, deny Allow all

    AuthName "My Intranet" AuthType SSPI SSPIAuth On SSPIAuthoritative Off require valid-user

  • Enable Integrated Authentication in Firefox by going to: config and setting network.automatic-ntlm-auth.trusted-uris to the absolute path of the PHP script url and then restarting Firefox.

    / li>

  • I haven't done the equivalent step in IE yet, but one day I will get Firefox as our main supported browser inside.

  • Restarting Apache and attempting to load a PHP test script.

Result:

  • In IE and Firefox, I get a request for a username and password before the page loads. I do not want this invitation. I want the username to be detected automatically without a hint.

Troubleshooting so far:

  • I tried cycling on various SSPI parameters such as enable / disable authorization and much more. There is no effect.

  • The request no longer appears if I delete the "require valid-user", but then the username is also not passed (this is not NULL, just not specified in the array period).

  • If I click "Cancel" at the invitation, I will get the standard page "Authentication Required".

  • If I enter the wrong username or the correct username but with the wrong password, the page will load, but the username will be "(PC-name) \ Guest".

  • If I enter the correct username / password, then instead of Guest the username will be displayed.

  • As soon as I entered the username / password in IE or Firefox, the browser remembers that the username on the following pages loads until I clear the saved password cache or restart the browser.

  • I spent the last 3 or so hours at Google and at random guesses. Zero success. I found several isolated messages that people asked this question, but either they went unanswered or suggested solutions that I had already tried without success.

Again, I want the page to load without any prompts and display the current Windows username in the output of the $ _SERVER array.

As far as I understand, this is either: a problem with configuring Windows, a problem with configuring Apache, or a problem with configuring a browser. In addition, I am fresh from ideas.

I would be very grateful for any help you can offer. Thanks!

- Kris

+8
authentication windows php apache sspi
source share
2 answers

Took a couple of days, but in the end I realized it myself. The various documents and guides that describe setting up Firefox about: config seem to be incorrect. They argue that a full URI, including a protocol prefix, should be included. As it turned out, the true opposite is true.

As a random snapshot in the dark, I tried to set it as "localhost" (the domain on which the test server is running). And voila! It fixed it! "http: // localhost", on the other hand, caused it to break.

As soon as I made money in Firefox, confirming the correct configuration on the server side, its application in IE and Chrome was cinch. For IE, I just added "http: // localhost" (in this case, you want the protocol prefix) to the "Intranet" zone. And since Chrome uses the same network settings that IE uses, this step made it work for both browsers.

Regarding the server side configuration, it looks like I had this right from the start. I simplified it a bit, so really all you need in the directory block is the following:

 AuthName "Whatever you want to call your intranet" AuthType SSPI SSPIAuth On require valid-user

With this installation, if you point to a PHP script executing print_r ($ _SERVER), the output will contain something like the following:

 [REMOTE_USER] => dev-kdc-pc01\kris.craig [AUTH_TYPE] => NTLM [PHP_AUTH_USER] => dev-kdc-pc01\kris.craig

If you want to get rid of part of the domain (for example, "dev-kdc-pc01 \"), you can either parse it in PHP, or add this line to your SSPI material in the directory block in httpd.conf mentioned above:

 SSPIOmitDomain On

Note that I only tested this on a Windows system, where the Apache web server was running on a local host. I have not tested it in a situation where the Apache server is running on Linux, although this should not affect the results, since the server simply accepts everything that the browser sends. It also requires the client to be running Windows or another SSPI compatible environment. I have not yet decided how to make this work for our Mac employees.

Also note that I have successfully tested this on a network that does not currently have a configured domain. According to articles published elsewhere, behavior should be the same on a workstation that is a member of a domain.

Hope this helps! Thanks!

+7
source share

This may be a partial answer.

 BOOL WINAPI GetUserName( __out LPTSTR lpBuffer, __inout LPDWORD lpnSize );

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724432%28v=vs.85%29.aspx

It looks like you can get system information using this, the other half can be automating it using PERL or Python to clear the information and then publish it to PHP.

Here is the sysinfo extraction scheme on Windows.

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724426%28v=vs.85%29.aspx

Honestly, this is a pretty simple task with PECL / PAM if you are using Linux.

0
source share

More articles:


All Articles