I have been trying for a while now to get mod_auth_sspi up and running to help run a Drupal Intranet.
The Drupal LDAP modul and the Drupal SSO instructions https://drupal.org/node/1371478 have been followed.
I am running a Uniform Server 8.12 - running apache 2.2 and php 5.3
mod_auth_sspi is installed on the modules, and referenced in httpd.conf file.
The LDAP itself works, in that going to /user someone can log into their site using the company login details from their Active Directory. The test mechanism on Drupal also pulls through relevant information such as emails etc.
However unfortunately I can't get them to authenticate automatically.
The httpd.conf file also contains:
# Virtual hosts
Include conf/extra/httpd-vhosts.conf
# Pass NTLM authentication to Apache
LoadModule sspi_auth_module modules/mod_auth_sspi.so
<IfModule !mod_auth_sspi.c>
LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>
Then the vhosts file contains
NameVirtualHost intranet.example.co.uk
<VirtualHost intranet.example.co.uk>
DocumentRoot "C:/UniServer2/www"
ServerName Intranet
<directory "C:/UniServer2/www">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order Allow,Deny
Allow from all
</directory>
<Location /intranet/user/login/sso>
AuthType SSPI
AuthName "Intranet"
SSPIAuth On
SSPIAuthoritative On
### The domain used to authenticate with LDAP; this should match the domain
### configured in the LDAP integration configuration within Drupal
SSPIDomain xxx.xxx.x.x
SSPIOmitDomain On
SSPIOfferBasic On
Require valid-user
#SSPIBasicPreferred On
#SSPIofferSSPI off
</Location>
</VirtualHost>
For information intranet.example.co.uk has been replaced with name of company xxx.xxx.x.x is the IP of the Active Directory. Obviously I've replaced these bits for security reasons.
Location is intranet/ because there is also another internal web application on the same server.
However when I go the site I receive the error message:
"You were not authenticated by the server. You may log in with your credentials below."
This happens at both intranet.example.co.uk and intranet.example.co.uk/user/login/sso
The following error reports are logged by Drupal:
ldap_sso_user_login_sso.step1: implementation: mod_auth_sspi, enabled: 1, server_remote_user: , server_redirect_remote_user: , ssoRemoteUserStripDomainName: ,seamlessLogin: 1 ldap_sso_user_login_sso.implementation: username=, (realm=) found $_SERVER['REMOTE_USER'] not found ldap_sso_user_login_sso.no_remote_user.seamlessLogin ldap_sso_user_login_sso.no_remote_user.drupal_goto user/login
So clearly Drupal isn't finding the remote user. Furthermore I have a simple whoami.php script running in cgi-bin. The code for this is:
<html>
<head>
<title>whoami at <?php $_SERVER['SERVER_NAME']; ?> </title>
</head>
<body style='font-family:Verdana;font-size:-1'>
<?php
$cred = explode('\\',$_SERVER['REMOTE_USER']);
if (count($cred) == 1) array_unshift($cred, "(no domain info - perhaps SSPIOmitDomain is On)");
list($domain, $user) = $cred;
echo "You appear to be user <B>$user</B><BR/>";
echo "logged into the Windows NT domain <B>$domain</B>";
?>
</body>
</html>
This produced "You appear to be user" with no following text and "logged into the Windows NT domain (no domain info - perhaps SSPIOmitDomain is On)", suggesting that the server is also not picking up on the remote user.
I haven't made any specific odd alterations to the server, so I am assuming the problem I am having must be one suffered by others using mod_auth_sspi.
Couple of things it could be although my knowledge isn't enough to tell?
I don't have Tomcat on the server. On the Apache wiki (http://wiki.apache.org/httpd/ModAuthSSPI) it says a common problem with mod_auth_sspi is that mod.jk isn't configured correctly. Mod.jk seems to be a file relevant to Tomcat - however I haven't seen Tomcat listed anywhere as a requirement for mod_auth_sspi?
Something to do with htaccess? I've seen some mentioned of mod_auth_sspi and htaccess but nothing specific. However htaccess is the only place where I have done something vaguely unusual with the server as it has been configured to only allow people with the same IP address as the organisation to access the site (in other words only people in the offices can use it, and it can't be accessed from the outside).
Any advice or steps that could be taken to debug this would be greatly appreciated as I seem to be going round in circles.
Thanks.