Pages

[FrankL]

Hi.
I just installes newest Version of Apache 2.4 found here x86 on Windows 2008 R2.
I configured a virtual host to SSO on Windows 2008 R2 AD.
I works on Windows 7 with IE and  Firefox 44.0.2.
When i try to auth with Firefox 46.0 or Safari on OS X 10.10.5 it always prompts for credentials.
The Computer is in bound to AD and the current user is a domain user. Keberos Ticket is there.


<VirtualHost xxx.xxx.xxx.xxx>
   DocumentRoot "${WWWROOT}/osticket"
   ServerName ticket.domain.de
   ServerAlias ticket.domain.local
   <Location "/">
   AuthName "DOMAIN"
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
   #NTLMOfferBasic On
   #NTLMMSIE3Hack On
   #NTLMUsernameCase lower
    <RequireAll>
        <RequireAny>
            Require valid-user
            #require sspi-user EMEA\group_name
        </RequireAny>
        <RequireNone>
            Require user "ANONYMOUS LOGON"
            Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"
        </RequireNone>
    </RequireAll>

    # use this to add the authenticated username to you header
    # so any backend system can fetch the current user
    # rewrite_module needs to be loaded then

     #RewriteEngine On
     #RewriteCond %{LA-U:REMOTE_USER} (.+)
     #RewriteRule . - [E=RU:%1]
     #RequestHeader set X_ISRW_PROXY_AUTH_USER %{RU}e
    </Location>
</VirtualHost>

[mario]

I don't know where there problem is, but OS X and iOS have a problem with Auth. If I put a simple .htaccess auth on a website the safari is prompting a every single item / url in the page. I have some image, css, javascript it asks for the credentials for each. I haven't figured out yet how to solve that.
There is a pull request https://github.com/YvesR/mod_authn_ntlm/pull/9 for IE that might solve the issue for OSX, too. But I'm not sure if it does. It might be different problem.

[FrankL]

Sophos UTM SSO + Firefox on OS X doesn't work either. I think OS X 10.10. does not send the credentials at all.
I'm currently using Sophos Authentication Agent to solve that issue for the UTM transparent proxy.

Is there a way to check to log SPNEGO in apache. I want to see if the apache servers tries to pull authentication and what comes in return.

[FrankL]

is it possible to configure the vhost in a way that if NTML is successfull the client is logged in and if SSO fails the "normal" Webpage appears and the client can log in manually?

[mario]

You can define a 403( maybe also a 401) error page in the apache config. That could be the login page. I'm not so sure if that then overcomes NTLM. But I think you can have a user agent / browser switch in the apache config to solve that.

[StevenTut]

I found the solution : it was a "bad" config saved on the computers client, nothing to see with mod_authn_ntlm.

On the client, go to :
Control Panel > User Accounts > User accounts > check credentials

Select the Windows login infos correpsonding to the server and delete the line, then the correct login is displayed in IE.