Disable Login Prompts in mod_auth_sspi_1.0.4-2.2.2

Question

What I'm trying to do:

• Create a home page on our company's intranet that automatically grabs the logged-in Windows username of the person viewing the page without the person being prompted to enter these credentials when the page loads.

• Currently, I just want it to grab the local username, since it'll be awhile before our IT guys get a domain setup. For example, right now I'd want it to capture the "(PC-Name)\windows.user.name" without any prompts.

Environment:

• Apache 2.2.21 on Windows 7 x64 (will be on CentOS once it's in production).

• PHP 5.3.8 (VC9-ZTS).

• Internet Explorer 9.0.8x and Firefox 6.0.2 (will worry about Chrome later).

• Current test page is just a PHP script calling print_r( $_SERVER ).

• To keep things simple, the directory I'm testing this on is not a VirtualHost.

Steps I've taken thus far:

• Downloaded mod_sspi_1.0.4-2.2.2 from SourceForge and extracted mod_auth_sspi.so to the Apache modules directory.

• Added the module declaration:

  LoadModule sspi_auth_module modules/mod_auth_sspi.so

• Added the directory definition:

  AllowOverride None Options None Order allow,deny Allow from all

  AuthName "My Intranet"
  AuthType SSPI
  SSPIAuth On
  SSPIAuthoritative Off
  
  require valid-user
  

• Enabled Integrated Authentication in Firefox by going to about:config and setting network.automatic-ntlm-auth.trusted-uris to the absolute URL path of the PHP script then restarted Firefox.

• I haven't done the equivalent step in IE yet but I will once I get Firefox working as that's our primary supported browser internally.

• Restarted Apache and attempted to load the test PHP script.

The result:

• In both IE and Firefox, I get prompted for a username and password before the page loads. I don't want that prompt. I want the username to be detected automatically without a prompt.

Troubleshooting thus far:

• I've tried cycling through the various SSPI options, such as authritative on/off and whatnot. No effect.

• Prompt no longer appears if I remove "require valid-user", but then the username is not passed, either (it isn't NULL; simply not set in the array period).

• If I hit "Cancel" on the prompt, I get the standard "Authentication Required" page.

• If I enter an invalid username, or the correct username but with the wrong password, the page will load but the username will be "(PC-Name)\Guest".

• If I enter the correct username/password, then the username is displayed instead of Guest.

• Once I enter a username/password in IE or Firefox, the browser remembers that username on subsequent page loads until I clear the stored passwords cache or restart the browser.

• I've spent the last 3 or so hours Googling and random guessing. Zero success. I've found a few isolated forum posts of people asking this question, but either they went unanswered or offered solutions that I've already tried without success.

Again, what I want is for the page to load, WITHOUT any prompting, and display the currently logged-on Windows username in the $_SERVER array output.

As far as I can fathom, this is either: A Windows configuration issue, an Apache configuration issue, or a browser configuration issue. Other than that, I'm fresh out of ideas.

I would be very grateful for any help you can offer. Thanks!

--Kris

Answer 1

Took a couple days, but I eventually figured it out on my own. Apparently, the various documents and tutorials out there describing the Firefox about:config setting are wrong. They claim that the full URI, including protocol prefix, must be included. As it turns out, the exact opposite is true.

As a random shot in the dark, I tried setting it to just "localhost" (the domain the test server's running on). And voila! That fixed it! "http://localhost", on the other hand, caused it to break.

Once I got it working in Firefox, having verified that the server-side configuration was correct, applying it to IE and Chrome was a cinch. For IE, I just added "http://localhost" (in this case, you do want the protocol prefix) to the "Intranet" zone. And since Chrome makes use of the same network settings that IE uses, that step got it working for both browsers.

As far as server-side config goes, it looks like I had that right from the beginning. I was able to simplify it a bit, though, so really all you need in the directory block is this:

AuthName "Whatever you want to call your intranet"
AuthType SSPI
SSPIAuth On

require valid-user

With this setup, if you point to a PHP script doing a print_r( $_SERVER ), the output will contain something like this:

[REMOTE_USER] => dev-kdc-pc01\kris.craig
[AUTH_TYPE] => NTLM
[PHP_AUTH_USER] => dev-kdc-pc01\kris.craig

If you want to get rid of the domain part (i.e. the "dev-kdc-pc01\"), you can either parse it out in PHP or add this line to your SSPI stuff in the directory block in httpd.conf mentioned above:

SSPIOmitDomain On

Please note that I've only tested this on a Windows system where the Apache webserver was running on localhost. I have not yet tested it in a situation where the Apache server is running on Linux, though that shouldn't have any impact on the results since the server is just accepting whatever the browser sends it. This also requires that the client be running Windows or some other SSPI-compatible environment. I haven't yet determined how to make this work for our Mac-using employees.

Also note that I've successfully tested this on a network that does not currently have a domain configured. According to articles published elsewhere, the behavior should be identical on a workstation that is a member of a domain.

I hope this helps! Thanks!