I want to know if it's possible to configure Apache for authentication against ActiveDirectory for users to use SIngle Sign-on. I know Internet Explorer can use it and it's called Windows Authentication.
Asked
Active
Viewed 544 times
2 Answers
0
IE's "Windows Authentication" is NTLM -- at least older versions. (I think that current "Windows Authentication" does negotiate). You would need mod_ntlm or mod_auth_ntlm_winbind for NTLMv2. I think that later versions of IE and windows can also do GSSAPI via negotiate, which would work using mod_auth_kerb. GSSAPI has the advantage that it can be made to work will all the major browsers and platforms.
Short answer - it's possible.
beans
- 1,550
- 13
- 16
0
You can use authnz to accomplish this very task.
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
You'll need to create an unprivileged account for Apache to connect to AD to perform the authentication. It's possible to do things like conditionally allowing people access based on group memberships. In addition, you should be able to add the URL to trusted sites and have IE pass creds transparently so that there is no user interaction required to log in.
Sean C.
- 954
- 5
- 7
-
Details? Examples? Why IE will send NTLM credentials? And how apache should ask for them? – Dmytro Leonenko Apr 01 '11 at 10:52