Re: Pass-through LDAP authentication with Internet Explorer and Active Directory

["Clayton Hicklin" <chicklin@xxxxxxxxx>]

On Tue, Sep 16, 2008 at 1:28 PM, André Warnier <aw@xxxxxxxxxx> wrote:

Clayton Hicklin wrote:

I have LDAP authentication against Active Directory working perfectly in
Firefox, but my problem is with IE.  IE automatically passes through the
username and password so once you are logged into the domain, you don't have
to type it in again.

That's great, except it is passed through as <domain>\<user>.  To do LDAP
authentication against Active Directory, I am searching the sAMAccountName
attribute of the users.  This attribute holds the username for that user,
but does not include the <domain>\ prefix, therefore authentication fails in
IE and it prompts you for the username and password.

As far as I can tell, the <domain>\ prefix is not stored anywhere inside the
user object, so there is no way to authenticate with the credentials that IE
provides.

Has anybody got this working?  Is there some sort of workaround or hidden
parameter in the Apache LDAP modules that might fix this?  Thanks!

Hi Clayton.
There are so many things that might be "happening in IE" that you need to be a little more specific for someone to be able to help you.
Can you provide some more precise details about your setup ? like which version of Apache, what module are you using, what the parameters are, etc..
There are not so many things that can be done at the IE side, but maybe the authentication module which you are using on the server side has some parameters.
The fact that IE at first passes the domain\user seems to imply that IE thinks it is doing "Windows Integrated Authentication", which can be a good or a bad thing. But without some more details, one would not know where to start looking.
Contrary to what you seem to think (or at least what you write), it is not in IE that authentication fails, it is at the server level.  As a result, the server sends a "401 Authorization required" to IE, and that is when IE pops up the login dialog.





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

I didn't mean to imply that the authentication fails "in" IE.  I realize it is at the server.  My issue is that I would like a seamless user experience.  IE is passing 'domain\user' due to "Windows Integrated Authentication" being turned on and it would be nice if those credentials could be used to authenticate without popping up the login dialog.  This works using the mod_auth_sspi module (which uses NTLM) but not with LDAP authentication.  The reason is that with LDAP authentication, you have to specify an attribute to search for the username that is passed to Apache.  In the case of Active Directory, this attribute is sAMAccountName.  This attribute stores the username of the Windows user.  The problem is that IE passes 'domain\user' (not just 'user') on it's first attempt at authentication.  This obviously fails which causes the login dialog to pop up.  You can then just type in your username and password and everything works fine.

I think the ultimate solution would be to modify the Apache LDAP module to accept a parameter that would optionally strip out the domain portion of the credentials that IE passes.  That way, we could use IE + APACHE + Active Directory (LDAP) for a seamless SSO solution.  I think this would be pretty common in most corporate environments, which is where this is being implemented.

--
Clayton Hicklin
chicklin@xxxxxxxxx