Pass-through LDAP authentication with Internet Explorer and Active Directory

I have LDAP authentication against Active Directory working perfectly in
Firefox, but my problem is with IE. IE automatically passes through the
username and password so once you are logged into the domain, you don't have
to type it in again.

That's great, except it is passed through as <domain>\<user>. To do LDAP
authentication against Active Directory, I am searching the sAMAccountName
attribute of the users. This attribute holds the username for that user,
but does not include the <domain>\ prefix, therefore authentication fails in
IE and it prompts you for the username and password.

As far as I can tell, the <domain>\ prefix is not stored anywhere inside the
user object, so there is no way to authenticate with the credentials that IE
provides.

Has anybody got this working? Is there some sort of workaround or hidden
parameter in the Apache LDAP modules that might fix this? Thanks!

--
Clayton Hicklin
chicklin@gmail.com

Clayton Hicklin wrote:
> I have LDAP authentication against Active Directory working perfectly in
> Firefox, but my problem is with IE. IE automatically passes through the
> username and password so once you are logged into the domain, you don't
> have to type it in again.

See if this http://www.soft-land.org/articoli/sso
can help you out.

Davide

--
How about some patent on "(a+b)^2 == a^2 + 2ab + b^2"? Choose free
software!
-- Laurent Szyster

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

On Tue, Sep 16, 2008 at 11:40 AM, Clayton Hicklin <chicklin@gmail.com> wrote:
> As far as I can tell, the <domain>\ prefix is not stored anywhere inside the
> user object, so there is no way to authenticate with the credentials that IE
> provides.
>
> Has anybody got this working? Is there some sort of workaround or hidden
> parameter in the Apache LDAP modules that might fix this? Thanks!


Is there any other header set by IE when it does this automatic
authentication? Is the password really sent along with it?


--
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

On Tue, Sep 16, 2008 at 11:44 AM, Eric Covener <covener@gmail.com> wrote:

> On Tue, Sep 16, 2008 at 11:40 AM, Clayton Hicklin <chicklin@gmail.com>
> wrote:
> > As far as I can tell, the <domain>\ prefix is not stored anywhere inside
> the
> > user object, so there is no way to authenticate with the credentials that
> IE
> > provides.
> >
> > Has anybody got this working? Is there some sort of workaround or hidden
> > parameter in the Apache LDAP modules that might fix this? Thanks!
>
>
> Is there any other header set by IE when it does this automatic
> authentication? Is the password really sent along with it?
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
I think these credentials are only sent to "trusted" sites as defined by
IE's security settings. This is on an intranet, so it would be considered a
"trusted" site by default.

--
Clayton Hicklin
chicklin@gmail.com

On Tue, Sep 16, 2008 at 10:58 AM, Davide Bianchi <davide@onlyforfun.net>wrote:

> Clayton Hicklin wrote:
> > I have LDAP authentication against Active Directory working perfectly in
> > Firefox, but my problem is with IE. IE automatically passes through the
> > username and password so once you are logged into the domain, you don't
> > have to type it in again.
>
> See if this http://www.soft-land.org/articoli/sso
> can help you out.
>
> Davide
>
> --
> How about some patent on "(a+b)^2 == a^2 + 2ab + b^2"? Choose free
> software!
> -- Laurent Szyster
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Thanks for the link. I should've mentioned my Apache server is running on
Windows. I don't think modntlm works on Windows. They suggest using
mod_auth_sspi, which is what I started with, and it worked pretty well, but
it has a weird bug that causes Apache not to send all POST data from forms
unless you wait a few seconds to click submit. Strange, but true. So
that's what led me to LDAP. It is really working well except for this
<domain>\ prefix issue.

--
Clayton Hicklin
chicklin@gmail.com

On Tue, Sep 16, 2008 at 1:22 PM, Clayton Hicklin <chicklin@gmail.com> wrote:

> On Tue, Sep 16, 2008 at 10:58 AM, Davide Bianchi <davide@onlyforfun.net>wrote:
>
>> Clayton Hicklin wrote:
>> > I have LDAP authentication against Active Directory working perfectly in
>> > Firefox, but my problem is with IE. IE automatically passes through the
>> > username and password so once you are logged into the domain, you don't
>> > have to type it in again.
>>
>> See if this http://www.soft-land.org/articoli/sso
>> can help you out.
>>
>> Davide
>>
>> --
>> How about some patent on "(a+b)^2 == a^2 + 2ab + b^2"? Choose free
>> software!
>> -- Laurent Szyster
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
> Thanks for the link. I should've mentioned my Apache server is running on
> Windows. I don't think modntlm works on Windows. They suggest using
> mod_auth_sspi, which is what I started with, and it worked pretty well, but
> it has a weird bug that causes Apache not to send all POST data from forms
> unless you wait a few seconds to click submit. Strange, but true. So
> that's what led me to LDAP. It is really working well except for this
> <domain>\ prefix issue.
>
> --
> Clayton Hicklin
> chicklin@gmail.com
>

Found a workaround for mod_auth_sspi. If you are having troubles with not
getting POST data with mod_auth_sspi and Internet Explorer, you can turn on
the pre-1.0.4 behavior with:

SSPIPerRequestAuth On


Still don't know how to handle the IE + LDAP domain prefix issue, but this
module will work for me.
--
Clayton Hicklin
chicklin@gmail.com

I guess there is SSPIOmitDomain directive which can be turned Off, to
include the domain as well along with user name.

(in mod_auth_sspi)
Regards
Prasanna Ram

On Tue, Sep 16, 2008 at 11:53 PM, Clayton Hicklin <chicklin@gmail.com>wrote:

> On Tue, Sep 16, 2008 at 1:22 PM, Clayton Hicklin <chicklin@gmail.com>wrote:
>
>> On Tue, Sep 16, 2008 at 10:58 AM, Davide Bianchi <davide@onlyforfun.net>wrote:
>>
>>> Clayton Hicklin wrote:
>>> > I have LDAP authentication against Active Directory working perfectly
>>> in
>>> > Firefox, but my problem is with IE. IE automatically passes through
>>> the
>>> > username and password so once you are logged into the domain, you don't
>>> > have to type it in again.
>>>
>>> See if this http://www.soft-land.org/articoli/sso
>>> can help you out.
>>>
>>> Davide
>>>
>>> --
>>> How about some patent on "(a+b)^2 == a^2 + 2ab + b^2"? Choose free
>>> software!
>>> -- Laurent Szyster
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>> Thanks for the link. I should've mentioned my Apache server is running on
>> Windows. I don't think modntlm works on Windows. They suggest using
>> mod_auth_sspi, which is what I started with, and it worked pretty well, but
>> it has a weird bug that causes Apache not to send all POST data from forms
>> unless you wait a few seconds to click submit. Strange, but true. So
>> that's what led me to LDAP. It is really working well except for this
>> <domain>\ prefix issue.
>>
>> --
>> Clayton Hicklin
>> chicklin@gmail.com
>>
>
> Found a workaround for mod_auth_sspi. If you are having troubles with not
> getting POST data with mod_auth_sspi and Internet Explorer, you can turn on
> the pre-1.0.4 behavior with:
>
> SSPIPerRequestAuth On
>
>
> Still don't know how to handle the IE + LDAP domain prefix issue, but this
> module will work for me.
> --
> Clayton Hicklin
> chicklin@gmail.com
>



--
Prasanna Ram

Clayton Hicklin wrote:
> I have LDAP authentication against Active Directory working perfectly in
> Firefox, but my problem is with IE. IE automatically passes through the
> username and password so once you are logged into the domain, you don't have
> to type it in again.
>
> That's great, except it is passed through as <domain>\<user>. To do LDAP
> authentication against Active Directory, I am searching the sAMAccountName
> attribute of the users. This attribute holds the username for that user,
> but does not include the <domain>\ prefix, therefore authentication fails in
> IE and it prompts you for the username and password.
>
> As far as I can tell, the <domain>\ prefix is not stored anywhere inside the
> user object, so there is no way to authenticate with the credentials that IE
> provides.
>
> Has anybody got this working? Is there some sort of workaround or hidden
> parameter in the Apache LDAP modules that might fix this? Thanks!
>
Hi Clayton.
There are so many things that might be "happening in IE" that you need
to be a little more specific for someone to be able to help you.
Can you provide some more precise details about your setup ? like which
version of Apache, what module are you using, what the parameters are, etc..
There are not so many things that can be done at the IE side, but maybe
the authentication module which you are using on the server side has
some parameters.
The fact that IE at first passes the domain\user seems to imply that IE
thinks it is doing "Windows Integrated Authentication", which can be a
good or a bad thing. But without some more details, one would not know
where to start looking.
Contrary to what you seem to think (or at least what you write), it is
not in IE that authentication fails, it is at the server level. As a
result, the server sends a "401 Authorization required" to IE, and that
is when IE pops up the login dialog.





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

On Tue, Sep 16, 2008 at 1:27 PM, Prasanna Ram Venkatachalam <
vpram86@gmail.com> wrote:

> I guess there is SSPIOmitDomain directive which can be turned Off, to
> include the domain as well along with user name.
>
> (in mod_auth_sspi)
> Regards
> Prasanna Ram
>
>
> On Tue, Sep 16, 2008 at 11:53 PM, Clayton Hicklin <chicklin@gmail.com>wrote:
>
>> On Tue, Sep 16, 2008 at 1:22 PM, Clayton Hicklin <chicklin@gmail.com>wrote:
>>
>>> On Tue, Sep 16, 2008 at 10:58 AM, Davide Bianchi <davide@onlyforfun.net>wrote:
>>>
>>>> Clayton Hicklin wrote:
>>>> > I have LDAP authentication against Active Directory working perfectly
>>>> in
>>>> > Firefox, but my problem is with IE. IE automatically passes through
>>>> the
>>>> > username and password so once you are logged into the domain, you
>>>> don't
>>>> > have to type it in again.
>>>>
>>>> See if this http://www.soft-land.org/articoli/sso
>>>> can help you out.
>>>>
>>>> Davide
>>>>
>>>> --
>>>> How about some patent on "(a+b)^2 == a^2 + 2ab + b^2"? Choose free
>>>> software!
>>>> -- Laurent Szyster
>>>>
>>>> ---------------------------------------------------------------------
>>>> The official User-To-User support forum of the Apache HTTP Server
>>>> Project.
>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>> Thanks for the link. I should've mentioned my Apache server is running
>>> on Windows. I don't think modntlm works on Windows. They suggest using
>>> mod_auth_sspi, which is what I started with, and it worked pretty well, but
>>> it has a weird bug that causes Apache not to send all POST data from forms
>>> unless you wait a few seconds to click submit. Strange, but true. So
>>> that's what led me to LDAP. It is really working well except for this
>>> <domain>\ prefix issue.
>>>
>>> --
>>> Clayton Hicklin
>>> chicklin@gmail.com
>>>
>>
>> Found a workaround for mod_auth_sspi. If you are having troubles with not
>> getting POST data with mod_auth_sspi and Internet Explorer, you can turn on
>> the pre-1.0.4 behavior with:
>>
>> SSPIPerRequestAuth On
>>
>>
>> Still don't know how to handle the IE + LDAP domain prefix issue, but this
>> module will work for me.
>> --
>> Clayton Hicklin
>> chicklin@gmail.com
>>
>
>
>
> --
> Prasanna Ram
>


The setup that works for me with mod_auth_sspi is:

AuthName "blah blah blah"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIPerRequestAuth On
SSPIOfferBasic on
Require group DOMAIN\group1
Require group DOMAIN\group2
Require group DOMAIN\group3

This works for both IE (using NTLM) and Firefox (using BASIC
authentication).

--
Clayton Hicklin
chicklin@gmail.com

On Tue, Sep 16, 2008 at 1:28 PM, André Warnier <aw@ice-sa.com> wrote:

> Clayton Hicklin wrote:
>
>> I have LDAP authentication against Active Directory working perfectly in
>> Firefox, but my problem is with IE. IE automatically passes through the
>> username and password so once you are logged into the domain, you don't
>> have
>> to type it in again.
>>
>> That's great, except it is passed through as <domain>\<user>. To do LDAP
>> authentication against Active Directory, I am searching the sAMAccountName
>> attribute of the users. This attribute holds the username for that user,
>> but does not include the <domain>\ prefix, therefore authentication fails
>> in
>> IE and it prompts you for the username and password.
>>
>> As far as I can tell, the <domain>\ prefix is not stored anywhere inside
>> the
>> user object, so there is no way to authenticate with the credentials that
>> IE
>> provides.
>>
>> Has anybody got this working? Is there some sort of workaround or hidden
>> parameter in the Apache LDAP modules that might fix this? Thanks!
>>
>> Hi Clayton.
> There are so many things that might be "happening in IE" that you need to
> be a little more specific for someone to be able to help you.
> Can you provide some more precise details about your setup ? like which
> version of Apache, what module are you using, what the parameters are, etc..
> There are not so many things that can be done at the IE side, but maybe the
> authentication module which you are using on the server side has some
> parameters.
> The fact that IE at first passes the domain\user seems to imply that IE
> thinks it is doing "Windows Integrated Authentication", which can be a good
> or a bad thing. But without some more details, one would not know where to
> start looking.
> Contrary to what you seem to think (or at least what you write), it is not
> in IE that authentication fails, it is at the server level. As a result,
> the server sends a "401 Authorization required" to IE, and that is when IE
> pops up the login dialog.
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project..
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
I didn't mean to imply that the authentication fails "in" IE. I realize it
is at the server. My issue is that I would like a seamless user
experience. IE is passing 'domain\user' due to "Windows Integrated
Authentication" being turned on and it would be nice if those credentials
could be used to authenticate without popping up the login dialog. This
works using the mod_auth_sspi module (which uses NTLM) but not with LDAP
authentication. The reason is that with LDAP authentication, you have to
specify an attribute to search for the username that is passed to Apache.
In the case of Active Directory, this attribute is sAMAccountName. This
attribute stores the username of the Windows user. The problem is that IE
passes 'domain\user' (not just 'user') on it's first attempt at
authentication. This obviously fails which causes the login dialog to pop
up. You can then just type in your username and password and everything
works fine.

I think the ultimate solution would be to modify the Apache LDAP module to
accept a parameter that would optionally strip out the domain portion of the
credentials that IE passes. That way, we could use IE + APACHE + Active
Directory (LDAP) for a seamless SSO solution. I think this would be pretty
common in most corporate environments, which is where this is being
implemented.

--
Clayton Hicklin
chicklin@gmail.com