Hello, i'm an brazilian student, and i have a problem in SSPI Authentication.
I'm building an intranet system, in this system the php page need get the information about the logon user in the windows, the login in the page need to be the same that windows user name for the user, one friend tell me to use SSPI, but whem i access the page, the system ask the user and password, whem submit he tell that's wrong, but are correct.
My idea is that the system don't ask user and password, the system need to get this informations automatic, the system for users are based in Active Directory, maybe it to be one help.
If anyone may help me, i'm crasy with this... thanks.

(sorry by my english, it's so poor, but i'm studing =D )

    Up...

    please, anyone may help me? =(
    i'm crazy with this...

      yes, but the page ask for login and password, but, my idea is that system get this informations automaticaly, because the user has logged into windows, and dont need login again

        with LDAP my system will work like this, without ask for username and password?

          You say you tried using the SSPI module for Apache yet you were still prompted for a username and password?

          When you access the webpage where you tried to do the transparent authentication, which web browser was being used? Also, if you look in the lower-right corner, does it say "Internet Zone" or "Intranet Zone" ? Unless IE recognizes the URL as an Intranet Zone, I don't think you'll have any luck getting it to automatically handle authentication.

          EDIT: Note that you can use Group Policies, however, to automatically add the domain of the URL you're trying into IE's "Intranet Zone" sites list.

            Hmm
            I just tried the SSPI module and it worked find for me. I was impressed. I did not know this existed.

            I got it from http://sourceforge.net/projects/mod-auth-sspi/

            How did you configure your apache?

            I added the module to my modules dir and then loaded it in httpd.conf with
            LoadModule sspi_auth_module modules/mod_auth_sspi.so

            And then added the following to my .htaccess

            AuthName "Local Intranet"
            AuthType SSPI

            SSPIAuth On

            require valid-user

              I, too, just tested the above module and it works if I accessed the server such that it was considered in the "Local intranet" zone. If I accessed the same server in a manner such that IE thought it was in the Internet zone, I had to enter a username and password.

              Also:

              evandrobm wrote:

              the system ask the user and password, whem submit he tell that's wrong, but are correct.

              He probably didn't enter his username correctly - the format must be "Domain\Username" (or "Username@FQDN" (FQDN is "Fully Qualified Domain Name"). Entering just the username alone won't tell the server which domain the username is supposed to belong to (unless there's a method to specify a default domain in the SSPI config) and it will default to matching against local users on that server itself.

                Good news o/

                but, i think that my system are one "Internet Zone", because in the bottom bar, he shows "Internet", but, how i configure my system to one "Intranet Zone"???

                In my test, in other PC only for test (localhost, without network) the system works fine.

                how to configure one "Intranet System"???

                  bradgrafelman;10948151 wrote:

                  He probably didn't enter his username correctly - the format must be "Domain\Username" (or "Username@FQDN" (FQDN is "Fully Qualified Domain Name"). Entering just the username alone won't tell the server which domain the username is supposed to belong to (unless there's a method to specify a default domain in the SSPI config) and it will default to matching against local users on that server itself.

                  i have enter with domain\username...

                    Internet Explorer isn't very smart (no surprises there, right? :p) when it comes to determining whether a URL is pointing to a server in the intranet versus the internet. It doesn't do any IP-based analyzing at all; if it looks like an internet domain (e.g. "mysite.com"), it assumes you're browsing the internet.

                    To force your internal website to be placed in the intranet zone (thus enabling IE to pass the domain credentials of the user logged on), you have to manually add it to IE's list of sites in the intranet zone.

                    How I did this for a school, however, was to modify one of the Group Policy Objects (GPOs) that spanned all computers on the network and configure IE's intranet zone to add their website to the zone's list of sites. If you have access to modify a GPO, this is a very convenient, easy way of doing this. It sure is better than visiting each computer on the network and setting up IE manually! :p

                      BIG problem here, nobody have access to Security Options, and change the Policus are very dificult, but, one thing that make me crasy, is the fact that the system dont acept my credentials =O

                        What exactly are you entering for the username?

                        If you don't have access to edit the security options in Internet Explorer, then you'll have to talk to the IT administrator/department and see if they will make the changes in a Group Policy Object (I'd even be so kind as to write a quick and easy step-by-step guide if you think that would help).

                        Out of curiosity, what URL are you typing in to get to the web server?

                          the URL are the [url]http://IP_OF_SERVER:8080/[/url]

                          in loggin, i enter with DOMAIN\USERNAME (username is the same of windows) and password the same of the windows...

                          and the problem with the GPO... bureaucracy... VERY VERY bureaucracy... are best ignore this option, if have any other =/

                          i will make tests with other machines, if GPO are the unique solution...

                            Sorry by duplicated post, i don't see my post and do it again, but he are in the second page =/

                              Not sure why you can't at least login by entering a valid username and password - it worked for me when I tried it. Then again, I wasn't running Apache as the web server's local system account... the Apache process was running under my user credentials (and I'm an Enterprise Administrator, too). I'll try it out again later tonight with Apache running under the local system account of the webserver and see if that makes any difference.

                              As for your other problem... can you try using the name of the server in the URL instead of it's IP? By name, I mean the actual computer name specified in Windows. If you access the page via the actual name and not an IP address (or by using "mydomain.com"), that should convince IE that you're accessing a page in the Intranet zone. Check the lower-right corner again to see if this is true, and let me know if it asks you for a username and password still.

                              EDIT: I deleted your duplicate post, as I've done the same thing before (not realize there was a second page when I was only viewing the end of the first)! :p

                                Write a Reply...