asked on Issues With mod_auth_sspi Getting a User's Domain Name
I'm running Apache 2.x, PHP 5 with the mod_auth_sspi module and adLDAP ( http://adldap.sourceforge.net/ ). I can use adLDAP against AD to authenticate a user, but I'm trying to do seamless authentication (using FAQ #6 on http://adldap.sourceforge.net/faq.php ). This will be used on the internal domain cobbworld.com.
The problem is the sample code (attached as a snippet) always returns, ProWEBDEV-VM/admin as the user when I try hitting the server (from another box where I am logged into the domain). I check the $_SERVER['REMOTE_USER'] variable and it is always ProWEBDEV-VM/admin.
I am logged into my VM web server through VCenter, and this response is coming from my desktop where I am using my company username/password (both on cobbworld). When other users try to access the test page, they recieve a message box prompting them for a username and password.
I'm confused as to what is going on. Help? Please let me know what information would be helpful.
Also - from the documentation of mod_auth_sspi, it seems like it could do the seamless authentication w/o the need for adLDAP. I've done this much easier before with ASP, but I need to do it w/ PHP now. Thanks!
The problem is the sample code (attached as a snippet) always returns, ProWEBDEV-VM/admin as the user when I try hitting the server (from another box where I am logged into the domain). I check the $_SERVER['REMOTE_USER'] variable and it is always ProWEBDEV-VM/admin.
I am logged into my VM web server through VCenter, and this response is coming from my desktop where I am using my company username/password (both on cobbworld). When other users try to access the test page, they recieve a message box prompting them for a username and password.
I'm confused as to what is going on. Help? Please let me know what information would be helpful.
Also - from the documentation of mod_auth_sspi, it seems like it could do the seamless authentication w/o the need for adLDAP. I've done this much easier before with ASP, but I need to do it w/ PHP now. Thanks!
$cred = explode('\\',$_SERVER['REMOTE_USER']);
if (count($cred) == 1) array_unshift($cred, "(no domain info - perhaps SSPIOmitDomain is On)");
list($domain, $user) = $cred;
echo "You appear to be user <B>$user</B><BR/>";
echo "logged into the domain <B>$domain</B>";
Here's my output (from my local machine on the domain w/ my user ID):
You appear to be user admin
logged into the domain PROWEBDEV-VM
(Note: I log on to my dev server as admin/PROWEBDEV-VM... and httpd.exe is running as a SYSTEM service.)
PHPWeb ApplicationsApache Web Server
Last Comment
damijim
ASKER
I've tried all of those. I don't see the cobbworld domain username output from phpinfo(); ... I'm not sure about your authentication question. All logons into the cobbworld domain are verified through AD running on dc1.cobbworld.com and dc2.cobbworld.com. I didn't have a problem getting it with ASP.
The webserver PROWEBDEV-VM is part of the domain (i.e., prowebdev-vm.cobbworld.com
Other question: https://www.experts-exchange.com/questions/23322044/Easiest-Way-To-Retrieve-Domain-Login-Username-in-PHP.html
The webserver PROWEBDEV-VM is part of the domain (i.e., prowebdev-vm.cobbworld.com
Other question: https://www.experts-exchange.com/questions/23322044/Easiest-Way-To-Retrieve-Domain-Login-Username-in-PHP.html
ASKER
Hm, I changed the mod_auth_sspi config in my httpd.conf to:
<Directory "D:/Apache2.2/htdocs/new_c
AllowOverride None
Options None
Order allow,deny
Allow from all
AuthName "New Client Implementation"
AuthType SSPI
SSPIAuth On
SSPIOfferSSPI Off
SSPIAuthoritative Off
SSPIDomain cobbworld.com
SSPIOmitDomain Off
SSPIOfferBasic On
require valid-user
</Directory>
And now it asks for me to log on (for every cobbworld.com domain account). The only one that works is using ProWEBDev-VM/admin & password. I can query cobbworld.com's AD using adLDAP so I know it's visible. As far as the mod_auth_sspi, the domain to use is defined in the configuration... I wish there was more documentation on the windows version of this module.
<Directory "D:/Apache2.2/htdocs/new_c
AllowOverride None
Options None
Order allow,deny
Allow from all
AuthName "New Client Implementation"
AuthType SSPI
SSPIAuth On
SSPIOfferSSPI Off
SSPIAuthoritative Off
SSPIDomain cobbworld.com
SSPIOmitDomain Off
SSPIOfferBasic On
require valid-user
</Directory>
And now it asks for me to log on (for every cobbworld.com domain account). The only one that works is using ProWEBDev-VM/admin & password. I can query cobbworld.com's AD using adLDAP so I know it's visible. As far as the mod_auth_sspi, the domain to use is defined in the configuration... I wish there was more documentation on the windows version of this module.
ASKER
Oh, and I was using NTLM authentication before, but I turned that off in the above config.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Well, I realized the login issue was being caused by the removal of my web server from the domain. So, now it can see COBBWORLD's AD. Now I'm trying to get the username w/o the prompt coming up since the user has already authenticated by logging on to the network. I may just need to tweak the httpd.conf config a little.
I'm using the latest version 1.0.4-2.2.2.
I'm using the latest version 1.0.4-2.2.2.
IE has an option (somewhere) to allow automatic logons. Not sure where it is,
i think somewhere in advanced settings (in the internet zones)
i think somewhere in advanced settings (in the internet zones)
ASKER
Yeah, but it's possible (according to adLDAP's FAQ) to use mod_auth_sspi to do a seamless log in. One of my requirements is to do it seamlessly. So I just need to know what the user's domain account name is and then I can do the LDAP stuff I need to with adLDAP.
ASKER
I finally got the username with the following in my httpd.conf and re-joining the web server to the domain. Thanks for your help and input Xyptilon2! :)
<Directory "D:/Apache2.2/htdocs/new_c
AllowOverride None
Options None
Order allow,deny
Allow from all
AuthName "New Client Implementation"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative Off
SSPIOfferBasic Off
SSPIBasicPreferred Off
SSPIDomain cobbworld
SSPIOmitDomain Off
require valid-user
</Directory>
the $_SERVER['REMOTE_USER'] is now populating with the cobbworld login for users. Thanks!
<Directory "D:/Apache2.2/htdocs/new_c
AllowOverride None
Options None
Order allow,deny
Allow from all
AuthName "New Client Implementation"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative Off
SSPIOfferBasic Off
SSPIBasicPreferred Off
SSPIDomain cobbworld
SSPIOmitDomain Off
require valid-user
</Directory>
the $_SERVER['REMOTE_USER'] is now populating with the cobbworld login for users. Thanks!
ASKER
Thanks for the input!
basic authentication? Have you tried the server variable ATUH_USER instead of
REMOTE_USER?
How about printing a phpinfo(); to check what the environment variabeles are and
look for the string you want to find. See in what variabele you can find it.