Warning: strftime() [function.strftime]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/Chicago' for 'CDT/-5.0/DST' instead in /usr/local/www/nat.guyton.net/geeklog-1.4.0sr2/public_html/lib-common.php on line 4396
Warning: strftime() [function.strftime]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/Chicago' for 'CDT/-5.0/DST' instead in /usr/local/www/nat.guyton.net/geeklog-1.4.0sr2/public_html/lib-common.php on line 4396
Warning: mktime() [function.mktime]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/Chicago' for 'CDT/-5.0/DST' instead in /usr/local/www/nat.guyton.net/geeklog-1.4.0sr2/public_html/lib-common.php on line 5531
Warning: strftime() [function.strftime]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/Chicago' for 'CDT/-5.0/DST' instead in /usr/local/www/nat.guyton.net/geeklog-1.4.0sr2/system/lib-comment.php on line 321
Warning: strftime() [function.strftime]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/Chicago' for 'CDT/-5.0/DST' instead in /usr/local/www/nat.guyton.net/geeklog-1.4.0sr2/system/lib-comment.php on line 321
Warning: strftime() [function.strftime]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/Chicago' for 'CDT/-5.0/DST' instead in /usr/local/www/nat.guyton.net/geeklog-1.4.0sr2/system/lib-comment.php on line 321
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/Chicago' for 'CDT/-5.0/DST' instead in /usr/local/www/nat.guyton.net/geeklog-1.4.0sr2/public_html/lib-common.php on line 1143 Nat's Geeklog - NTLM
NTLM is the protocol that Internet Explorer uses to automatically log a user in to a site using the OS login credentials. There are lots of intranet applications that do this within an organization. What's neat is that it's not just limited to Internet Explorer and IIS. Read on for more...
First off, FireFox can do NTLM as well. In version 1.0, you need to navigate to about:config and find network.automatic-ntlm-auth.trusted-uris. Give it a value such as a domain (guyton.net) that you trust with your OS login credentials. Multiple hosts can be entered, sep. by commas. After that, automatic logins!
Note that to do this in IE, you need to go to Internet Options - Security - Local Intranet (or Trusted Sites) and add the host substring there (though it might need *.guyton.net or something similar).
OK, so enough about the browsers, what about the back-end servers? Since we like UNIX here, we aren't gonna touch IIS. Apache 2 is our favorite way to go, and two methods exist:
mod_ntlm - an apache module that can be loaded on a per-site basis
So far I've experimented with the first one, and it seems to work OK. After half a day it seems that the website gets pretty slow in responding, so I suspect a memory leak.
I plan on trying the second one out tomorrow. It seems to support multiple domains and PDCs/BDCs for each, and returns the domain as well as the userid in the REMOTE_USER env var, which I need.
These should theoretically authenticate with samba as well, which can get data from an LDAP server. This is nice because the whole thing can be implemented with FireFox, Samba, Apache, and OpenLDAP, thus completely eliminating reliance on Microsoft products (other than OS login) while still providing single sign-on capabilities.
The following comments are owned by whomever posted them. This site is not responsible for what they say.
NTLM
Authored by: nat on
Wednesday, February 09 2005 @ 04:04 PM CST
Apache::AuthenNTLM works like a charm. Multiple domains, fast (due to modPerl), etc.
Now the only problem is that I'm told our primary domain is switching over to kerberos and will be turning NTLM off soon. Ugh! Will have to see what I can set up there...
Authored by: nat on
Friday, February 18 2005 @ 05:26 PM CST
I've got my Linux server at work authenticating against the active directory kerberos domain. Didn't even need a host principal. Sweet! Now I don't have to worry about an extra password on the UNIX box. Still working on the web part - most likely I need a web HTTP principal.
Now at home I need to figure out how to get Windows XP Home edition working with all this, then get a kerberized ssh client (ssh on fedora already uses kerberos). It would be ideal to get a kerberized VNC session up, too, but that might be wishful thinking without having to pay money...
Authored by: Anonymous on
Monday, February 21 2005 @ 04:13 PM CST
Cool, I got mod_auth_kerb working on apache at home, this one not needing mod_perl, either. On my linux desktop, if I run kinit and get kerberos credential cache, then konquerer will automatically login to my webserver! (It's possible that I don't have to configure any further trust because the machine realm and webserver realm are the same - don't know about cross-realm workings). If I did not have kinit run, then it asked for a password. Pretty neat!
I did have a little trouble getting the webserver working right - turns out it was failing because my service principal was http/saturn.guyton.net@GUYTON.NET instead of HTTP/saturn.guyton.net@GUYTON.NET. Huh. Anyway, now that that's taken care of...
Firefox was a little more tricky - I had to edit a different setting than NTLM in about:config - this time I set "guyton.net" to the network.negotiate-auth.trusted-uris parameter, and after that, Firefox on Linux did automatic logins as well. Sweet!
I have not gotten this working on Win XP home with either Firefox or IE. Most likely it won't work, since XP Home doesn't really support kerberos by default (so I think). We'll see if I find anything. Makes a case for a Linux or XP Pro desktop.
Now the only problem is that I'm told our primary domain is switching over to kerberos and will be turning NTLM off soon. Ugh! Will have to see what I can set up there...