SSO Authentication - Apache/PHP/ActiveDirectory

Question

I want to make an intranet with SSO Authentication through Active Directory. I searched about and I found maybe two ways :

1. Using the apache module mod_authnz_sspi . I can get the username and the domain but it seems there is no authentication. Maybe I don't really get it...

   Here my apache conf for this module :

   \n \n    AuthType SSPI \n    SSPIAuth On \n    SSPIAuthoritative On \n    SSPIOfferBasic On \n    SSPIOmitDomain Off \n    SSPIDomain MyDOMAIN \n    Require valid-user \n\n

   So I guess the "connection" is not really safe...

2. Using the apache module mod_authnz_ldap but I can't make it works well...

   Here my apache conf for this module :

    \n   \n   AuthName "LDAP Authentication" \n   AuthType Basic \n   AuthBasicProvider ldap \n   AuthLDAPBindAuthoritative off \n   AuthLDAPURL "ldap://ad.server.fr:389/DC=server,DC=local?sAMAccountName?sub?(objectClass=person)" NONE \n   AuthLDAPBindDN ldap@server.local \n   AuthLDAPBindPassword password \n   AuthLDAPRemoteUserAttribute on \n   LDAPReferrals Off \n\n

   I got this error LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead. but I don't want to use SSL for the connection...

   Actually I don't really get how this works. My active directory doesn't get connection from my apache or just maybe anonymous.

Now I don't know how to make a SSO Authentication on my intranet. Which way is better ? Is there another one ?

I use wamp ( for windows ) with apache 2.4.4.

Answer 1

I use apache 2.4.4, on windows xp, with mod_authnz_sspi and the following works for me for people using IE8. But i'm not using PHP. Using Django.

<Location "/k/">
    AuthName "Something"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain "COMPANY"
    SSPIUsernameCase "upper" 
    require valid-user
    SSPIPerRequestAuth Off
    require user "NT AUTHORITY\ANONYMOUS LOGON" denied
</Location>