NTLM SSO Problems

NTLM SSO Problems

by Mitch Douglas -
Number of replies: 5

We're currently using a Moodle 1.9 system and have SSO with LDAP working on it for our network users. In the newer Moodle 2.3, I've tried copying over all of the settings from our current Moodle to get SSO working on there, but without success.

I've activated Windows Authetification on the server and set the website to use both anonymous and windows authetification. When users try to log on whilst logged onto our network, a pop-up box appears asking for username and password. Typing in their username and password on Moodle doesn't work. Pressing cancel brings up a 401 error.

Any help is greatly appreciated. Thank you.

Average of ratings: -
In reply to Mitch Douglas

Re: NTLM SSO Problems

by Andrew Lorbach -

Windows server? Which version of IIS are you using? (if any).

Average of ratings: -
In reply to Andrew Lorbach

Re: NTLM SSO Problems

by Mitch Douglas -

I'm using IIS 7.5 on Windows Server 2008 R2 Standard.

Average of ratings: -
In reply to Mitch Douglas

Re: NTLM SSO Problems

by Andrew Lorbach -

Drop this code into a php file in your moodle directory:

 

<?php
if (isset($_SERVER['REMOTE_USER']) && !empty($_SERVER['REMOTE_USER'])) {
    echo "<p>NTLM authentication seems to be working. User: " . $_SERVER['REMOTE_USER'] . "</p>";
} else {
    echo '<p>NTLM is not working</p>';
}
?>

 

Give it a name like NTLM_test.php and then run it in your browser http://moodle.site/ntlm_test.php and see what it gives you.

Also head into IIS. Browse through the moodle directory and find the ntlm_magic.php file (I think that's what it's called, not at work so I can't check 100%). You may have to switch to content view in iis. When you have the file selected on the right it will have providers. Select the option to change providors and there should be negotiate and ntlm in the list. Move ntlm up to the top of the list. Restart your moodle site and try again.

Average of ratings: -
In reply to Andrew Lorbach

Re: NTLM SSO Problems

by Mitch Douglas -

To add to this, although I didn't try this, it turned out that the settings for our version of IE in the internal college network didn't put Moodle in it's allowed websites. Our network manager has changed this and it is now working.

Average of ratings: -
In reply to Mitch Douglas

Re: NTLM SSO Problems

by Mark Gamache -

windows integrated auth has a couple of intereting gotchas realted to both authenticaion and authroization.

First, IE will not perfom SSO unless the site falls properly into either the intranet zone or the trusted sites list.  THEN, whichever of the two it falls into, the SSO options has to be set.  Each zone has predfined levels of secure, such as Hihg, Med, Low, as well as the custom option.  Which ever you pick, the granual option, near the bottom of that huge list, 'Automatic logon with current user name and password' must be picked.

I can't recal which level does that.  I usualy go custom to be sure.  At taht point the borwser will be willing to do the auth.

Second part is the server side.  When you turn on integrated auth, the user's browser authetnicates the user to the server and now, the user's access to the server occurs in that user's security context.  This means that access to the file system, you php, asp, aspx, html files, must be granted to the user in the windes securty tab.  Usualy we assign the Users group read access to the top folder in your site.  THis can be mildly complicated by app servers, as some actions do occur in the securty context of the appPool account.  If things get ugly, you have to turn on failure audting in local securty policy and reboot.  Then turn on auditing in the file system at the top of your site structure.  Then the event logs who what object cant be opened.  Good luck.  This is a combonation of a few diffent disciplines, haveing little to do with your code, expcet for the part where it tanks it.  tongueout

Average of ratings: -