Ntlm/Kerberos authentication in Django

Question

I'm looking for a guide about adding windows authentication support into a django app, particulary OSQA

I'm aware about http://code.google.com/p/python-ntlm/ And also saw this post: http://erny-rev.blogspot.com/2007/11/ntlm-authentication-in-django.html But I'm not a Django-dev, I just want to deploy OSQA in Windows enviroment (intranet, so I need to add windows authentication). So I'm looking for simple step-by-step description.

(I've managed to deploy a OSQA site on windows with SQL Server and it's working)

UPDATE:
I'd like to get not just auth against AD but SSO-like behavior in IE. As a user access my django-based site in IE it'd automaticaly authenticated with its domain account.

Answer 1

You can do this using Apache, mod_auth_kerb and REMOTE_USER authentication with Django hosted as mod_wsgi.

Here is an example of some config we use:

WSGIDaemonProcess myapp user=myapp group=myapp processes=5 threads=1
WSGIProcessGroup myapp
WSGIScriptAlias /myapp /home/wolapp/code/wolapp.wsgi
<VirtualHost ...>
    <Location /myapp>
            AuthType                Kerberos
            AuthName                "Domain Login"
            KrbMethodNegotiate      On
            KrbMethodK5Passwd       On
            KrbAuthRealms           YOUR.DOMAIN
            Krb5Keytab              /etc/krb5.keytab
            KrbServiceName          HTTP/server.your.domain
            require                 valid-user
    </Location>
</VirtualHost>

You then need to setup this:

http://docs.djangoproject.com/en/dev/howto/auth-remote-user/

A couple of caveats to note:

1. Opera fails completely in our testing; it can't handle the "Negotiate" header
2. IE works fine if the machine is in the domain, but if it isn't, you get prompted for your password twice - the first time the machine uses "ITSNAME\username" which fails; the second time the bare "username"

Hope this helps.