The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: [1]   Go Down

Author Topic: mod_authn_ntlm OS X 10.10  (Read 2611 times)

FrankL

  • Newbie
  • *
  • Offline Offline
  • Posts: 3
mod_authn_ntlm OS X 10.10
« on: May 04, 2016, 01:34:24 PM »

Hi.
I just installes newest Version of Apache 2.4 found here x86 on Windows 2008 R2.
I configured a virtual host to SSO on Windows 2008 R2 AD.
I works on Windows 7 with IE and  Firefox 44.0.2.
When i try to auth with Firefox 46.0 or Safari on OS X 10.10.5 it always prompts for credentials.
The Computer is in bound to AD and the current user is a domain user. Keberos Ticket is there.


<VirtualHost xxx.xxx.xxx.xxx>
   DocumentRoot "${WWWROOT}/osticket"
   ServerName ticket.domain.de
   ServerAlias ticket.domain.local
   <Location "/">
   AuthName "DOMAIN"
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
   #NTLMOfferBasic On
   #NTLMMSIE3Hack On
   #NTLMUsernameCase lower
    <RequireAll>
        <RequireAny>
            Require valid-user
            #require sspi-user EMEA\group_name
        </RequireAny>
        <RequireNone>
            Require user "ANONYMOUS LOGON"
            Require user "NT-AUTORIT√ĄT\ANONYMOUS-ANMELDUNG"
        </RequireNone>
    </RequireAll>

    # use this to add the authenticated username to you header
    # so any backend system can fetch the current user
    # rewrite_module needs to be loaded then

     #RewriteEngine On
     #RewriteCond %{LA-U:REMOTE_USER} (.+)
     #RewriteRule . - [E=RU:%1]
     #RequestHeader set X_ISRW_PROXY_AUTH_USER %{RU}e
    </Location>
</VirtualHost>
Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 580
Re: mod_authn_ntlm OS X 10.10
« Reply #1 on: May 05, 2016, 09:19:11 PM »

I don't know where there problem is, but OS X and iOS have a problem with Auth. If I put a simple .htaccess auth on a website the safari is prompting a every single item / url in the page. I have some image, css, javascript it asks for the credentials for each. I haven't figured out yet how to solve that.
There is a pull request https://github.com/YvesR/mod_authn_ntlm/pull/9 for IE that might solve the issue for OSX, too. But I'm not sure if it does. It might be different problem.
Logged

FrankL

  • Newbie
  • *
  • Offline Offline
  • Posts: 3
Re: mod_authn_ntlm OS X 10.10
« Reply #2 on: May 09, 2016, 12:02:52 PM »

Sophos UTM SSO + Firefox on OS X doesn't work either. I think OS X 10.10. does not send the credentials at all.
I'm currently using Sophos Authentication Agent to solve that issue for the UTM transparent proxy.

Is there a way to check to log SPNEGO in apache. I want to see if the apache servers tries to pull authentication and what comes in return.
Logged

FrankL

  • Newbie
  • *
  • Offline Offline
  • Posts: 3
Re: mod_authn_ntlm OS X 10.10
« Reply #3 on: May 10, 2016, 02:57:00 PM »

is it possible to configure the vhost in a way that if NTML is successfull the client is logged in and if SSO fails the "normal" Webpage appears and the client can log in manually?
Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 580
Re: mod_authn_ntlm OS X 10.10
« Reply #4 on: May 11, 2016, 06:03:02 PM »

You can define a 403( maybe also a 401) error page in the apache config. That could be the login page. I'm not so sure if that then overcomes NTLM. But I think you can have a user agent / browser switch in the apache config to solve that.
Logged

StevenTut

  • Newbie
  • *
  • Offline Offline
  • Posts: 3
mod_authn_ntlm OS X 10 10
« Reply #5 on: January 06, 2017, 11:18:41 PM »

I found the solution : it was a "bad" config saved on the computers client, nothing to see with mod_authn_ntlm.

 On the client, go to :
Control Panel > User Accounts > User accounts > check credentials

Select the Windows login infos correpsonding to the server and delete the line, then the correct login is displayed in IE.
Logged
Pages: [1]   Go Up
 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13