httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gallardo, Lisa" <Li...@susd12.org>
Subject RE: [users@httpd] Sspi login prompts - enable more than one
Date Mon, 22 Sep 2008 21:09:40 GMT
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com] 
Sent: Monday, September 22, 2008 1:06 PM
Subject: Re: [users@httpd] Sspi login prompts - enable more than one

Gallardo, Lisa wrote:
> I have sspi module enabled on website (windows 2003, apache 2.0) and 
> have googled to figure out how to get the login prompt to prompt at 
> least 3 times (if incorrect password submitted) but so far only get 
> one prompt and then error page of no access which freaks folks out. 
> Plus, they can't go back or refresh page because it's set in their cookies.
> 
> Is there somewhere in the httpd.conf file I can set more than one 
> login prompt for the site?
> 
To answer you second question first : I don't think so.  This kind of thing is more likely
due to the browser settings.

But there is something else that bothers me above :
When you use something like sspi, it is usually because you want the users browsers, in an
Intranet that is also a Windows Domain, to be able to authenticate to the Apache webserver
using their Windows Domain user-id (which is already known to the workstation at that point,
since they have already logged in to the Windows Domain).

In that context, when the login dialog even appears once in the browser, it is already an
indication of a failure.
It means that the (automatic) Windows authentication has failed, and that the browser is "falling
back" to Basic authentication.  And since the server will not accept this form of authentication,
the browser login will *never* succeed. No matter how often the login dialog comes back.

Now, assuming your users are in an Intranet and a Windows Domain, I would first check the
configuration of the browsers, and particularly a checkbox somewhere (in IE) saying "Allow
Windows Integrated Authentication".

And if the browsers are not directly inside the Domain, then you may also want to add your
webserver's hostname to the list of "trusted hosts".

Try again then and let us know.

----

Thank you so much Andre for your reply!

When users are at work they do have IE set up as you stated above: the site is in the intranet
security zone for automatic login and Allow Windows Integrated Authentication is checked.
But when they are at home or away from the office they can also access by entering their user
login and password. This is when the login prompts and it only prompts once then gives the
error message if credentials are incorrect. 

It's set up like this in my config:

AuthName "Password Required" 
AuthType SSPI 
SSPIAuth On 
SSPIAuthoritative On 
SSPIOmitDomain On 
require group domain\domainuser

When outside the network is there a way to have apache use ldap instead? If this is uncommented
will it work with sspi for outside the network? And will it prompt twice?

##########MM_MOD_LDAP_AUTH 
#AuthName "Intranet Users Only"
#AuthType Basic
#LDAP_Debug On
#LDAP_Server DOMAIN.local
#LDAP_Port 389
#LDAP_Protocol_Version 3
#Base_DN "dc=DOMAIN,dc=local"
#Bind_DN "CN=User,OU=Service Accounts,OU=Department,OU=Office,DC=DOMAIN,DC=local"
#Bind_Pass "xxxxxxx"
#UID_Attr sAMAccountName
#require valid-user
#require user 
#require roomnumber "123 Center Building"
#require filter "(&(telephonenumber=1234)(roomnumber=123))"
#Group_Attr member
#require group "CN=User,OU=Groups,OU=Office"

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message