Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 10797 invoked from network); 22 Sep 2008 21:10:21 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 22 Sep 2008 21:10:21 -0000 Received: (qmail 25525 invoked by uid 500); 22 Sep 2008 21:10:07 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 25514 invoked by uid 500); 22 Sep 2008 21:10:07 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 25503 invoked by uid 99); 22 Sep 2008 21:10:06 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Sep 2008 14:10:06 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [209.234.136.100] (HELO ADM-OWA.sunnysideud.k12.az.us) (209.234.136.100) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Sep 2008 21:09:07 +0000 Received: from EXCHANGE-DO1.sunnysideud.k12.az.us ([10.0.0.63]) by ADM-OWA.sunnysideud.k12.az.us with Microsoft SMTPSVC(6.0.3790.3959); Mon, 22 Sep 2008 14:09:40 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 22 Sep 2008 14:09:40 -0700 Message-ID: <5C6E2587A838824AA5FAF2209FAFE986010CEAB2@EXCHANGE-DO1.sunnysideud.k12.az.us> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [users@httpd] Sspi login prompts - enable more than one Thread-Index: Ackc7wX1BnTqhS2rS72jWcF4HIUlFQABdNyA From: "Gallardo, Lisa" To: X-OriginalArrivalTime: 22 Sep 2008 21:09:40.0315 (UTC) FILETIME=[86F012B0:01C91CF7] X-Virus-Checked: Checked by ClamAV on apache.org Subject: RE: [users@httpd] Sspi login prompts - enable more than one -----Original Message----- From: Andr=E9 Warnier [mailto:aw@ice-sa.com]=20 Sent: Monday, September 22, 2008 1:06 PM Subject: Re: [users@httpd] Sspi login prompts - enable more than one Gallardo, Lisa wrote: > I have sspi module enabled on website (windows 2003, apache 2.0) and=20 > have googled to figure out how to get the login prompt to prompt at=20 > least 3 times (if incorrect password submitted) but so far only get=20 > one prompt and then error page of no access which freaks folks out.=20 > Plus, they can't go back or refresh page because it's set in their = cookies. >=20 > Is there somewhere in the httpd.conf file I can set more than one=20 > login prompt for the site? >=20 To answer you second question first : I don't think so. This kind of = thing is more likely due to the browser settings. But there is something else that bothers me above : When you use something like sspi, it is usually because you want the = users browsers, in an Intranet that is also a Windows Domain, to be able = to authenticate to the Apache webserver using their Windows Domain = user-id (which is already known to the workstation at that point, since = they have already logged in to the Windows Domain). In that context, when the login dialog even appears once in the browser, = it is already an indication of a failure. It means that the (automatic) Windows authentication has failed, and = that the browser is "falling back" to Basic authentication. And since = the server will not accept this form of authentication, the browser = login will *never* succeed. No matter how often the login dialog comes = back. Now, assuming your users are in an Intranet and a Windows Domain, I = would first check the configuration of the browsers, and particularly a = checkbox somewhere (in IE) saying "Allow Windows Integrated = Authentication". And if the browsers are not directly inside the Domain, then you may = also want to add your webserver's hostname to the list of "trusted = hosts". Try again then and let us know. ---- Thank you so much Andre for your reply! When users are at work they do have IE set up as you stated above: the = site is in the intranet security zone for automatic login and Allow = Windows Integrated Authentication is checked. But when they are at home = or away from the office they can also access by entering their user = login and password. This is when the login prompts and it only prompts = once then gives the error message if credentials are incorrect.=20 It's set up like this in my config: AuthName "Password Required"=20 AuthType SSPI=20 SSPIAuth On=20 SSPIAuthoritative On=20 SSPIOmitDomain On=20 require group domain\domainuser When outside the network is there a way to have apache use ldap instead? = If this is uncommented will it work with sspi for outside the network? = And will it prompt twice? ##########MM_MOD_LDAP_AUTH=20 #AuthName "Intranet Users Only" #AuthType Basic #LDAP_Debug On #LDAP_Server DOMAIN.local #LDAP_Port 389 #LDAP_Protocol_Version 3 #Base_DN "dc=3DDOMAIN,dc=3Dlocal" #Bind_DN "CN=3DUser,OU=3DService = Accounts,OU=3DDepartment,OU=3DOffice,DC=3DDOMAIN,DC=3Dlocal" #Bind_Pass "xxxxxxx" #UID_Attr sAMAccountName #require valid-user #require user=20 #require roomnumber "123 Center Building" #require filter "(&(telephonenumber=3D1234)(roomnumber=3D123))" #Group_Attr member #require group "CN=3DUser,OU=3DGroups,OU=3DOffice" --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org