httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] Sspi login prompts - enable more than one
Date Mon, 22 Sep 2008 22:13:06 GMT
Gallardo, Lisa wrote:
[...]

> When users are at work they do have IE set up as you stated above: the site is in the
intranet security zone for automatic login and Allow Windows Integrated Authentication is
checked. But when they are at home or away from the office they can also access by entering
their user login and password. This is when the login prompts and it only prompts once then
gives the error message if credentials are incorrect. 

> 
> It's set up like this in my config:
> 
> AuthName "Password Required" 
> AuthType SSPI 
> SSPIAuth On 
> SSPIAuthoritative On 
> SSPIOmitDomain On 
> require group domain\domainuser
> 
> When outside the network is there a way to have apache use ldap instead? 

Hi Lisa.
That is a very simple question, with a possibly very complex answer.
There are so many cases and so many configuration possibilities that it 
is not possible to give a simple answer yes or no.
It also involves the browsers as well as the server.

First of all, since we are talking about AAA, never provide the name or 
address of your webserver in this conversation.  Or any names at all for 
that matter.  We do not want all the world's hackers to start 
concentrating on your webserver, do we ?
Be specially careful when quoting parts of your configuration files.

Let me ask you a few questions, so that I don't start an answer that 
would be totally out of context :

a) Just to get and idea, how many users are we talking about, and is 
this a small/medium/large corporation ? Can you give some general idea, 
without being very precise or disclosing any confidential information ?

b) What is "outside" ? Are we talking "Internet Café", or people with a 
company laptop connecting from another location in the company ?
How do the people from "outside" connect to your Apache web server or 
(maybe) your Intranet ? Is this a web server that is directly accessible 
on the Internet, or do the users first establish some kind of private 
connection through a VPN, a firewall, or something like that ?

c) What kind of information is on that Apache server ? is this more or 
less public information, and you just want to know who is connecting, or 
is it private information that must absolutely be reserved for users who 
have a Domain user-id ?

d) do all users use the same browser ?
When the users connect from home or from outside, is it from their own 
workstation/laptop (that they bought and set up themselves), or do they 
use a workstation or laptop supplied and configured by the company ?

This may look like a lot of questions, but what we are talking about 
here is Authentication and Access control. I would not want to start 
giving you tips that are not appropriate to the situation, and get you 
fired and/or both of us sued..


If this is uncommented will it work with sspi for outside the network? 
And will it prompt twice?
[...]

It's not so simple, unfortunately, and it could be very dangerous for 
your network.
Try to give some general answers to the questions above, and then I'll 
see if I can provide real help in your case.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message