Hi.
I just installes newest Version of Apache 2.4 found here x86 on Windows 2008 R2.
I configured a virtual host to SSO on Windows 2008 R2 AD.
I works on Windows 7 with IE and Firefox 44.0.2.
When i try to auth with Firefox 46.0 or Safari on OS X 10.10.5 it always prompts for credentials.
The Computer is in bound to AD and the current user is a domain user. Keberos Ticket is there.
<VirtualHost xxx.xxx.xxx.xxx>
DocumentRoot "${WWWROOT}/osticket"
ServerName ticket.domain.de
ServerAlias ticket.domain.local
<Location "/">
AuthName "DOMAIN"
AuthType SSPI
NTLMAuth On
NTLMAuthoritative On
#NTLMOfferBasic On
#NTLMMSIE3Hack On
#NTLMUsernameCase lower
<RequireAll>
<RequireAny>
Require valid-user
#require sspi-user EMEA\group_name
</RequireAny>
<RequireNone>
Require user "ANONYMOUS LOGON"
Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"
</RequireNone>
</RequireAll>
# use this to add the authenticated username to you header
# so any backend system can fetch the current user
# rewrite_module needs to be loaded then
#RewriteEngine On
#RewriteCond %{LA-U:REMOTE_USER} (.+)
#RewriteRule . - [E=RU:%1]
#RequestHeader set X_ISRW_PROXY_AUTH_USER %{RU}e
</Location>
</VirtualHost>
I don't know where there problem is, but OS X and iOS have a problem with Auth. If I put a simple .htaccess auth on a website the safari is prompting a every single item / url in the page. I have some image, css, javascript it asks for the credentials for each. I haven't figured out yet how to solve that.
There is a pull request https://github.com/YvesR/mod_authn_ntlm/pull/9 for IE that might solve the issue for OSX, too. But I'm not sure if it does. It might be different problem.
Sophos UTM SSO + Firefox on OS X doesn't work either. I think OS X 10.10. does not send the credentials at all.
I'm currently using Sophos Authentication Agent to solve that issue for the UTM transparent proxy.
Is there a way to check to log SPNEGO in apache. I want to see if the apache servers tries to pull authentication and what comes in return.
is it possible to configure the vhost in a way that if NTML is successfull the client is logged in and if SSO fails the "normal" Webpage appears and the client can log in manually?
You can define a 403( maybe also a 401) error page in the apache config. That could be the login page. I'm not so sure if that then overcomes NTLM. But I think you can have a user agent / browser switch in the apache config to solve that.
I found the solution : it was a "bad" config saved on the computers client, nothing to see with mod_authn_ntlm.
On the client, go to :
Control Panel > User Accounts > User accounts > check credentials
Select the Windows login infos correpsonding to the server and delete the line, then the correct login is displayed in IE.