IIS 7 NTLM and SSO Problems

IIS 7 NTLM and SSO Problems

by Les Ingleby -
Number of replies: 2

Hi everyone - before I get to my problem I will give the usual server specs.

Win 2008 Server

IIS 7

PHP 5.2.11

MySQL 5.1.40

Moodle Version Moodle 1.9.6+ (Build: 20091028)

My setup uses LDAP for user authentication which works fine.

My problem is that I can not longer use NTLM SSO with IIS7, I did try and play around with the authenticarion but I was getting no where and was also under pressure to get the server up and running. In the end I exported then imported my database and disabled SSO then exported and imported to my server - only way to gain access to my Moodle site again.

Users can now log in but they have to do so using their password. I would like to get SSO working again as this feature is great. It was working fine under Win 2003 and IIS6. I did try and mimic the settings I used with IIS6 - such as turning anonymous auth off on the ntlmsso_magic.php file and enabling Windows authentication but still no luck.

I did recieve an error message which I think was something like [IWASSONOTENABLED] - not the actual error but was very similar to this.

On anther note I did have user authentication almost working where the SSO would loop trying to auto login the user but then after many more settings I was unable to replicate this.

Since my server is running on VM, I have made a test server and can use this to test out and get SSO working under IIS 7. Hopefully we can then produce some tech docs for anyone else who is thinking of upgrading.

Any ideas?

Les

Average of ratings: -
In reply to Les Ingleby

Re: IIS 7 NTLM and SSO Problems

by Les Ingleby -
I forgot to point out that I am using PHP via FastCGI in IIS 7.
Average of ratings: -
In reply to Les Ingleby

Re: IIS 7 NTLM and SSO Problems

by John Gifford -

What was the looping you were getting? Just wondered if it was similar to wht I'm getting.

Because our moodle (2.4.1) is setup on a windows 2008R2 server with Apache and IIS7. The duality is so that IIS can handle our external https access (which uses the regular login page and works fine).
While the internal access is Apache using mod_auth_sspi(?). However when I turn on the NTLM SSO authetication it seems to work OK for most students, but I tried a laptop yesterday having been shown by one of the other technicians where it looped for him.
Instead of failing the NTLM and reverting to the ntlm skipped login page it tries to recheck and recheck and recheck looping indefinitely. The popup request is also not up long enough to make any serious use of. So I could do with either a way of extending that time or sorting out why it's looping like that.
Clicking the continue link to take you manually to the skip ntlm login page actually returns it to trying ntlm. I did setup the alternateloginurl to point to the ntlm_sso_attempt file, but without that I just get a regular login page and it doesn't even try ntlm. I'd like to use SSO, at least inside the school so that I can start to expand how it's used.

Average of ratings: -