SSO - Get the AD Username with Apache

Question

I have PHP 5.6.17 and Apache 2.4.10 running on Debian 8.

I want to populate the PHP variable $_SERVER['REMOTE_USER'] with the Windows username, to log in the user if the username is in my database. I'm comfortable with the security risks involved in this method, as this will only be exposed on a local network.

Here is what I did in my Apache vhost definition:

<LocationMatch "/login/ssologin">
    PerlAuthenHandler Apache2::AuthenNTLM
    AuthBasicAuthoritative on

    AuthType ntlm
    AuthName "hello"

    Require valid-user

    PerlAddVar ntdomain  "my.local"
    PerlSetVar defaultdomain my.local
    PerlSetVar splitdomainprefix 1
    PerlSetVar ntlmauthoritative off
    PerlSetVar ntlmdebug 1
</LocationMatch>

I put the URL into the trusted sites on Internet Explorer, but I was still prompted for basic authentication.

What did I miss?

My only goal is to get the username of the windows session. Is there another, easier way?

Answer 1

First, your ntdomain is incomplete. According to documentation, the variable is set like this:

PerlAddVar ntdomain "my.local PDC_NAME BDC_NAME"

Without a domain controller to authenticate against, the valid-user requirement can never be met.

Second, Apache2::AuthenNTLM does not support NTLM version 2 authentication.

Since Windows Vista and Server 2008, NTLM version 2 has been used exclusively. Previous versions of Windows would fall back to version 1 if the server did not support version 2. Although you can modify the security policy to revert to the old behaviour, these are very dangerous.

As mentioned in this answer, there is a Python module that handles NTLM version 2 authentication. Obviously this will require installation of mod_python but is fairly simple to configure.

Finally, configuring automatic login requires more than adding it to the Trusted Sites list. You should put it in the Intranet zone, and ensure that automatic login is enabled for this zone (e.g. medium-low security settings.)