Authentication

Windows authentication

 
Picture of solmaz naderi
Windows authentication
 

Hi every one

I'm using LDAP for authentication and we have about 2000 users in our site. now we need to use windows authentication for authenticating. I have  tried to config NTLM but there was not module for apache2.4. So I must use another solution. would you help me what must i do?

OS=windows server 2012- 64 bit

Moodle =2.9+

Apache=2.4

any suggestion would be apreciated

Solmaz


 
Average of ratings: -
Picture of Matteo Scaramuccia
Re: Windows authentication
Core developersParticularly helpful MoodlersPlugin developers

Hi Solmaz,
have you already read https://docs.moodle.org/29/en/NTLM_authentication ?
Why using Apache under Windows? IIS + PHP via FastCGI is in your case a nicer solution: https://docs.moodle.org/29/en/Internet_Information_Services#IIS_configuration_steps.

Otherwise, you could give https://github.com/YvesR/mod_authn_ntlm#build-instructions a try.

BTW, please update to a Moodle supported version: it will be better for future issues wink.

HTH,
Matteo

 
Average of ratings: -
Picture of solmaz naderi
Re: Windows authentication
 

Hi Mr Matteo

First of all, thank you for your prompt response. according to your hint I have migrated to IIS, now my config is:

os=windows server 2012 R2

IIs=8.5

Moodle=2.9+ ( I will update moodle in future)

Mysql=5.5.40

php=5.6.32

would you help me what must i do in next step?

Warm regards

Solmaz

 
Average of ratings: -
Picture of Matteo Scaramuccia
Re: Windows authentication
Core developersParticularly helpful MoodlersPlugin developers

For the record, a new thread has been opened in https://moodle.org/mod/forum/discuss.php?d=364044.

There, it has been already posted that IIS 7.x configuration is pretty similar to the one required by IIS 8.5, including the priority of NTLM against Kerberos.

HTH,
Matteo

 
Average of ratings: -
Picture of solmaz naderi
Re: Windows authentication
 

Hi Mr Scaramuccia

I fallowed document for iis 7.5 and ntlm is working now but have some issues:

1. in any browser (even IE) first show popup login box to ask username and password like this:

our users maybe click on cancel button and get error! so I want to dont see this popup login box.

2- if users enter acount info and click on login take too time for show content.and see this message for about 5 minute.. they will get bored!


fallowing image is our ntlm config in moodle:

would you help me how can I fix that?



 
Average of ratings: -
Picture of Matteo Scaramuccia
Re: Windows authentication
Core developersParticularly helpful MoodlersPlugin developers

Hi Solmaz,
Windows Authentication requires that the folders and files served by a Webapp, here Moodle, will be readable and traversable by the Users i.e. you need to create a Windows Group for the Users accessing Moodle - maybe the whole, so just use Domain Users - and apply those permission, including the possbility to traverse - just it, even not read - the folder in the path starting from the disk unit (e.g. D:\)

There are some other docs in the net like e.g. http://www.wicher.co.uk/ldap-ntlm/ which describes in a different manner what you read at https://docs.moodle.org/34/en/NTLM_authentication#IIS_7.x. Did you perform at least these steps including IIS configuration?

Besides, to define multiple subnets you need to separate them using "," and not " ".

HTH,
Matteo

 
Average of ratings: -
Picture of solmaz naderi
Re: Windows authentication
 

I performed all steps including IIS configuration according to link. and subnets are seprated by "," and I applied permission that you saied, but still show popup login box. someone said me I must use ssl for solving this issue. are you agree?

 
Average of ratings: -
Picture of Iñaki Arenaza
Re: Windows authentication
Core developersDocumentation writersParticularly helpful MoodlersPlugin developers

Hi Solmaz,

you don't tell us which browser(s) you are using to test NTLM SSO. The thing is NTLM SSO credential exchange is not attempted by default by any of the tier-1 browsers (IE/Edge, Chrome, Firefox). You need to explicitly configure them to send the credentials as part of the connection negotiation exchange (e.g., IE doesn't send the user credentials unless the Moodle server is part of the 'trusted zone' or the 'intranet zone' the client browser security settings: https://moodle.org/mod/forum/discuss.php?d=80104#p416040).

If all your Moodle users are using Micrososft browsers from machines that are part of your Active Directory domain, you can use Group Policies to configure the needed settings automatically (see https://moodle.org/mod/forum/discuss.php?d=115726#p615067).

Otherwise, each user will need to configure their own browser following the browser documentation.

By the way, using SSL was not mandatory for NTLM SSO to work last time I checked (but that was on IE 8.x, so things might have changed), but it's still a very good idea smile

Saludos. Iñaki.

 
Average of ratings: Useful (1)