SSO Mod windows Where to find mod_authnz_sspi, it's m ? plz apachaus.net is down

Started by SebaFR74, April 18, 2023, 09:43:34 AM

Previous topic - Next topic

SebaFR74

Hi, i use apache 2.4 on windows and i am trying to use the SSO on windows apache, using the mod_authnz_sspi, but the website apachehaus.net containing this mod is down, and there is no other link anywehere ?

i tried other mod, but none is working.

Anyone Can give me a link to this mod, or is there an other mod working for SSO ?

thanks a lot

Gregg



Gregg


Gregg


SebaFR74




b126

Quote from: Gregg on April 19, 2023, 09:13:55 PMThe other

Thank you Gregg for this great module. It's working perfectly... until I move my app under a Virtual Host. It seems SSPI is not working with virtual hosts (not trusted).

Could you please then tell me if this problem is occuring with the NTLM module as well.

And what is the main difference between the "SSPI" and the "SSPI NTLM based" modules?
SSPI is able do it in Kerberos as well (if no NTLM work) and the "SSPI NTLM based" one is only pure NTLM?

Thank you again.

mario

Security Support Provider Interface (SSPI). SSPI is the implementation of the Generic Security Services API (GSSAPI) in Windows Server operating systems. For more information about GSSAPI, see the IETF RFC database in RFC 2743 and RFC 2744.

It is pure NTLM. No Kerberos. We never got Kerberos authentication working on Windows.

A working vhost example

<VirtualHost *:80>
  ServerName some.domain.com
  DocumentRoot "/some/path/local"
  <Directory "/some/path/local">
    Options my-options
    AllowOverride AuthConfig my-other-overrides
#   Require all granted
    <IfModule authnz_sspi_module>
      AuthName "SSPI Protected Place"
      AuthType SSPI
      SSPIAuth On
      SSPIAuthoritative On
      SSPIOfferBasic On
      # Should you need to force the login prompt, uncomment the next line
      # SSPIBasicPreferred On
      SSPIOfferSSPI On
      SSPIOmitDomain On
      <RequireAll>
        <RequireAny>
          Require valid-sspi-user
#         Require valid-user
        </RequireAny>
        <RequireNone>
          Require user "ANONYMOUS LOGON"
        </RequireNone>
      </RequireAll>
    </IfModule>
  </Directory>
</VirtualHost>

b126

Quote from: mario on February 07, 2024, 09:10:51 AMIt is pure NTLM. No Kerberos. We never got Kerberos authentication working on Windows.

OK thanks for the info... in that case I can stop trying to get Kerberos working with the SSPI module :)

But at the end, should I use mod_authnz_sspi or rather mod_auth_ntml which seems to be 1 year newer?
I've already set up mod_authnz_sspi with no problems on my configuration (only the VirtualHost bothers me, but nothing serious) but I can change for NTML if needed.
Is there any difference behind?




mario

For Apache 2.4 you have to use mod_authn_ntlm in this case. There is https://github.com/TQsoft-GmbH/mod_authn_ntlm with good documentation.
newer binaries than on GitHub can be found on our download page https://www.apachehaus.com/cgi-bin/download.plx

oytoch

Quote from: mario on February 07, 2024, 09:10:51 AMIt is pure NTLM. No Kerberos. We never got Kerberos authentication working on Windows.

 

But, Why ? Windows can make kerberos auth (IIS) . Some Java web server too. (with a keytab)

I dont understand what is the problem to support this feature for windows

mario

Quote from: oytoch on February 13, 2024, 09:54:49 PMBut, Why ? Windows can make kerberos auth (IIS) . Some Java web server too. (with a keytab)

I dont understand what is the problem to support this feature for windows


if you know how to feel free to contribute to httpd Apache it is Open Source.

oytoch

It's not a criticism but a questioning. I'm not qualified to do it, but I wonder about it. Even if few people need it, it's still an important safety feature.

If i find something (one day) , I will come back here.