NTLM SSO Issues - Windows Server 2008 - IIS 7.5

NTLM SSO Issues - Windows Server 2008 - IIS 7.5

by Richard Hatch -
Number of replies: 4

Hi,

This is my first post to the Moodle forums (which I have found very useful in helping me with setting up our Moodle so far).

My setup is:

Windows Server 2008 R2

IIS 7.5

PHP 5.2.13 (Installed via Microsoft Web Platform Installer)

Moodle 1.9 (Installed via Microsoft Web Platform Installer).

Microsoft SQL Server 2008 (running on a different server, FreeTDS configured and working).

I have setup our new Moodle under IIS 7.5, with SSL enabled, I have configured FreeTDS within the php.ini to load the extension and have sucessfully connected Moodle to our SQL 2008 server created the database structure and manually logged into Moodle. So far so good!

Next I have setup LDAP authentication and got this working as well, and I am able to login from any client using the users normal active directory login details.

My next step after getting LDAP authentication to work was to enable NTLM single sign on, and this is the part I am now stuck on!  I am at a stage where my client PC's do try and connect via SSO and I am prompted by IE in a popup login box for my login details, but it won't except them and I have to cancel, I then get an error "Auto-login failed, try the normal login page..." I then get redirected to the normal login page, which if I type my active directory login details works and logs me in perfectly via LDAP authenication.

NTLM SSO does work when I bring up IE8 on the Server hosting Moodle, and logs me into moodle as the domain admin (this is the login I am logged into the server with). But this is the only place that it works?

I have searched the forums for hours, and tried many different fixes but none seem to enable me to get NTLM SSO working on the clients.

I did find one post that talked about creating a php test script, which had the following code:

<?php

echo $_SERVER['REMOTE_USER'];

?>

If I connect to this page which I called '..moodle/auth/ldap/usertest.php' from the server I see my 'domain/username' (which I guess is what I am looking for, and SSO does work from this server.  But from any other client I get a blank page?

Any help or advice would be great!

Things were going so well and now I feel I have come up against a brick wall!

Thanks

Richard

Average of ratings: -
In reply to Richard Hatch

Re: NTLM SSO Issues - Windows Server 2008 - IIS 7.5

by Richard Hatch -

Ok I think have just managed to resolve this problem by playing with settings within IIS 7.5!!!

Thought I would post my response incase it is useful to anyone else with the same problem.

Within IIS 7.5, I went to the authentication properties of 'moodle/auth/ldap/ntlmsso_magic.php' which is set to Windows Authentication enabled and Anonymous disabled as per the moodle NTLM instructions.

I then selected 'Windows Authentication' and clicked on 'Providers' this then showed a list of enabled providers:

Negotiate

NTLM

All I did was change the order so NTLM was at the top of the list (Move Up) and now NTLM and Sinle Sign On is working perfectly! (well on the first random 3 clients I have tested).

If someone could explain why this has fixed it I would be interested to know.  But all signs so far show successful LDAP / NTLM SSO with Server 2008 R2 and SSL 7.5.

Richard

Average of ratings: Useful (2)
In reply to Richard Hatch

Re: NTLM SSO Issues - Windows Server 2008 - IIS 7.5

by Alastair Hole -
It is because Kerberos is failing.
Kerberos is the default scheme when using Negotiate with IE and it doesn't fall back to NTLM.

Bumping NTLM to the top of the list prevents the browser from attempting the doomed-to-failure kerberos authentication.

We are struggling to get Kerberos working also, I'll post if we have any breakthroughs
Average of ratings: Useful (1)
In reply to Alastair Hole

Re: NTLM SSO Issues - Windows Server 2008 - IIS 7.5

by Alastair Hole -
After a moderate bout of hair loss I have Negotiate/Kerberos working.

The problem for us was the NTFS permissions on the site files, setting Read & Execute, List folder contents and Read for the web server computer accounts, and the IIS application service account solved it, you mileage may vary depending on what your IIS setup is (custom application pool identities etc)
Average of ratings: Useful (2)
In reply to Richard Hatch

Re: NTLM SSO Issues - Windows Server 2008 - IIS 7.5

by Brad Florence -
Would you be willing to post your settings for LDAP,  I am having problems getting mine to work?  I think it is binding but I have something wrong with finding the users.
Average of ratings: -