Moodle in English: SSO with AD2003

Hello,

I am trying to set up a brand new installation with the latest moodle package 1.9.

Wk2003,IIS6,PHP5.2,MySQL5

I have setup the LDAP as requested in the doc, set IIS to Integrated Windows Authentication for the magicsso file.

But... it does not auto-login, and prompt for the default login page...
Also when entering a valid account from the domain I got a 404 error ??!

LDAP server settings
ldap_host_url: ldap://eu-master.europe.com
ldap_version: 3
encoding = utf-8

Bind settings
ldap_preventpassindb: yes
ldap_bind_dn: CN=ldapreader,OU=Users,DC=europe,DC=com
ldap_bind_pw: password

User lookup settings
User type	Novell Edirectory posixAccount (rfc2307) posixAccount (rfc2307bis) sambaSamAccount (v.3.0.7) MS ActiveDirectory Default
Contexts
Search subcontexts	No Yes
Dereference aliases	Choose... No Yes
User attribute
Member attribute
Member attribute uses dn
Object class

Course creator
Creators
Cron synchronization script
Removed ext user	Keep internal Suspend internal Full delete internal
NTLM SSO
Enable	No Yes
Subnet

As someone any idea what's wrong??

Thanks for your suggestions.

VooDoo

Average of ratings: -

Re: SSO with AD2003

by voodoo voodoo - Thursday, 27 March 2008, 6:46 AM

If i go under Admin -> Networking -> SSO acccess control, i have the following:

For this functionality to work, you must have Moodle Networking On, plus the Moodle Network authentication plugin enabled with auto-add users enabled .

Moodle Networking Authentication pluginis disabled.

Auto-add users in Moodle Networking Authentication plugin is disabled.

I thought that the authentication plugin was only needed on previous versions.. Can someone confirm this??

Thanks,
VooDoo

Average of ratings: -

Re: SSO with AD2003

by Iñaki Arenaza - Thursday, 27 March 2008, 7:02 AM

This Networking SSO is for a completely different authentication subsystem (the Moodle Network system), not NTLM SSO

Saludos. Iñaki.

Average of ratings: -

Re: SSO with AD2003

by Iñaki Arenaza - Thursday, 27 March 2008, 7:06 AM

Your settings look strange, as several settings appear empty (and some of the are required fields) and others show multiple values.

Could you paste your real settings so we can have a look at them?

Also, could you please tell us what URL appears in your Location bar when you get the 404 error?

Saludos. Iñaki.

Average of ratings: -

Re: SSO with AD2003

by voodoo voodoo - Thursday, 27 March 2008, 4:41 PM

LDAP server settings
Host URL
Version	23
LDAP encoding
Bind settings
Hide passwords	NoYes
Distinguished Name
Password
User lookup settings
User type	Novell EdirectoryposixAccount (rfc2307)posixAccount (rfc2307bis)sambaSamAccount (v.3.0.7)MS ActiveDirectoryDefault
Contexts
Search subcontexts	NoYes
Dereference aliases	Choose...NoYes
User attribute
Member attribute
Member attribute uses dn
Object class
Force change password
Force change password	NoYes
Use standard Change Password Page	NoYes
Password format	Plain textMD5 hashSHA-1 hash
Password-change URL
LDAP password expiration settings.
Expiration	noLDAP
Expiration warning
Expiration attribute
Grace logins	NoYes
Grace login attribute
Enable user creation
Create users externally	NoYes
Context for new users
Course creator
Creators
Cron synchronization script
Removed ext user	Keep internalSuspend internalFull delete internal
NTLM SSO
Enable	NoYes
Subnet

Here are my settings... can't see what's wrong.
Gracias!

VooDoo

Average of ratings: -

Re: SSO with AD2003

by Iñaki Arenaza - Friday, 28 March 2008, 10:12 AM

I'm afraid this is completely useless. If you copy the text from the browser and paste it into the Moodle forum editor, we see a remix of the HTML options for some fields, but not the real values you chose or typed.

Please, make a transcription of the real values (or an screenshot)

Saludos. Iñaki.

Average of ratings: -

Re: SSO with AD2003

by voodoo voodoo - Friday, 28 March 2008, 4:13 PM

Sorry about this, i am very tired these days...

I have joined a screen shot of my settings.
Thanks again.

VooDoo

Average of ratings: -

Re: SSO with AD2003

by Iñaki Arenaza - Saturday, 29 March 2008, 4:39 AM

A few comments:

LDAP version needs to be 3 (not 2).
The 'ldapreader' user surely has a password. I guess you removed it from the Password filed to protect it. Otherwise, you need to specify it there.
You also need to fill the 'Subnet' field with the IP subnet/mask of the networks you want your users to use NTLM SSO. Otherwise, the SSO never takes place.

Saludos. Iñaki.

Average of ratings: -

Re: SSO with AD2003

by voodoo voodoo - Monday, 31 March 2008, 3:07 PM

Thanks,
As specified in the doc, I thought the subnet was only need to refrain SSO from any networks...

Now the SSO looks to take place, but also leads to a 404 page:

http://intranet/moodle/auth/ldap/ntlmsso_finish.php

I have tried from various computer, with various users...

Average of ratings: -

Re: SSO with AD2003

by voodoo voodoo - Monday, 31 March 2008, 3:59 PM

sometimes SSO failed and i get redirected to:

http://intranet/moodle/login/index.php?authldap_skipntlmsso=1

Average of ratings: -

Re: SSO with AD2003

by voodoo voodoo - Tuesday, 1 April 2008, 5:59 PM

When looking at my logs I can see that the login was ok...

Type de l'événement : Audit des succès
Source de l'événement : Security
Catégorie de l'événement : Ouverture/Fermeture de session
ID de l'événement : 540
Date :  01/04/2008
Heure :  11:56:00
Utilisateur : EUROPE\voodoo
Ordinateur : INTRANET
Description :
Ouverture de session réseau réussie :
   Utilisateur : voodoo
   Domaine : EUROPE
   Id. de la session : (0x0,0xA4F038D)
   Type de session : 3
   Processus de session : NtLmSsp
   Package d'authentification : NTLM
   Nom de la station de travail : IT
   GUID d'ouv. de session : -
   Nom de l'utilisateur appelant : -
   Domaine appelant : -
   ID de session de l'appelant : -
   ID de processus appelant : -
   Services en transit : -
   Adresse réseau source : 192.168.10.210
   Port source : 2082

Don't know where to look now...

Adding comments to this line on the ntlmsso_finish.php file avoid displaying the 404 errror...
/*
$authplugin = get_auth_plugin('ldap');
if (empty($authplugin->config->ntlmsso_enabled)) {
print_error('ntlmsso_isdisabled','auth');
}
*/

What does this mean??

Average of ratings: -

Re: SSO with AD2003

by voodoo voodoo - Thursday, 3 April 2008, 3:00 PM

Is no one using LDAP and SSO????

Can someone post is configuration?

Average of ratings: -

Re: SSO with AD2003

by Iñaki Arenaza - Saturday, 12 April 2008, 10:22 PM

Here is what I'm using in my test box (we don't use NTLM SSO in our production box:

Windows Server 2003 (original version, no SP2 or SR2 applied) / IIS 6
MySQL 5.0.41-community-nt-log
PHP 5.2.3

The AD domain name is 'windows2003.local', the domain controller has IP address 192.168.27.2, the bind user is called 'ldap-user' and is inside the 'Users' folder of AD. All the Moodle users are stored inside an organizational unit called 'Moodle' that is located right below the domain root. The IP addresses of all of the clients I want to use NTLM SSO with belong to IP network address 192.168.27.0/24 (i.e. 192.168.27.0/255.255.255.0)

With all the above in mind, these are my Moodle LDAP/NTLM SSO settings:

LDAP server settings
  Host URL: ldap://192.168.27.2
  Version: 3
  LDAP encoding: utf-8

Bind settings
  Hide passwords: Yes
  Distinguished Name: cn=ldap-user,cn=users,dc=windows2003,dc=local
  Password: ldap-user-password

User lookup settings
  User type: MS Active Directory
  Contexts: ou=Moodle,dc=windows2003,dc=local
  Search subcontexts: Yes
  Dereference aliases: No
  User attribute: sAMAccountName
  Member attribute: 
  Member attribute uses dn: 1
  Object class: 

Force change password
  Force change password: No
  Use standard Change Password Page: No
  Password format: Plain text
  Password-change URL: 

LDAP password expiration settings.
  Expiration: No
  Expiration warning: 10
  Expiration attribute:
  Grace logins:
  Grace login attribute: 

Enable user creation
  Create users externally: No
  Context for new users:

Course creator
  Creators:

Cron synchronization script
  Removed ext user: Keep internal

NTLM SSO
  Enable: Yes
  Subnet: 192.168.27.0/24

Data Mapping:
 ...
 ...

Saludos. Iñaki.

Average of ratings: -

Re: SSO with AD2003

by voodoo voodoo - Monday, 14 April 2008, 2:57 PM

Thanks inaki,
I have the same settings as you except the domain of course, and the php version (5.15).

but I always get a 404 error page with this url :
http://intranet/moodle/user/edit.php

either with SSO or not...

I am stucked!
I will try with another box this afternoon.

VooDoo

Average of ratings: -

Re: SSO with AD2003

by Mike Forshaw - Monday, 14 April 2008, 10:57 PM

Hi,

We've been trying this all day and still get the "auto-login failed" error.

We've enabled NTLM SSO, put in a subnet of 172.16., turned on integrated authentication on IIS, changed the attempt.php page from 3 to 30, added our moodle page to the Internet trusted sites and still no joy. Debugging doesn't show anything either when turned on.

Please help,

Mike

Average of ratings: -

Re: SSO with AD2003

by Iñaki Arenaza - Tuesday, 15 April 2008, 4:45 AM

As I've said in another thread in this forum, I'm unable to reproduce this problem in my test setup, so I can't debug it.

So I need some help from someone that is having the problem and is willing to debug the problem with me, by adding some debugging statements and posting back the results of those statements.

Otherwise I'm completely 'blind'.

Saludos. Iñaki.

Average of ratings: -

Re: SSO with AD2003

by voodoo voodoo - Tuesday, 15 April 2008, 2:42 PM

Can I help you on this?

Average of ratings: -

Re: SSO with AD2003

by Iñaki Arenaza - Tuesday, 15 April 2008, 8:08 PM

Sure!

I'm a bit busy right now, but will post some details tonight so we can debug all this.

Saludos. Iñaki.

Average of ratings: -

Re: SSO with AD2003

by Iñaki Arenaza - Saturday, 19 April 2008, 7:38 PM

It has taken me longer than expected, but here it goes. Attached to this message there is a patch file. You'll need the patch tool (you can get patch for Windows from http://gnuwin32.sourceforge.net/packages/patch.htm, download the binary 'Complete package, except sources' package).

Once you have patch installed in you system, place the attached patch file in .../moodle/auth/ldap/auth.php, open a console window, go to .../moodle/auth/ldap/ and execute the following command:

patch -p3 --binary < ntlm-debugging.diff

it should apply without problems. If you see some "HUNK # succeded at nnnn (offset mmm lines)" messages don't worry about them.

Next, login as admin, go to Administration >> Server >> Debugging and set your debug level to 'ALL: Show all reasonable PHP debug messages'.

The patch will send all the debug messages to the PHP error logs (so make sure you know where they are going to ). Next try to login using NTLM SSO and have a look at your PHP error logs. You should see something similar to this (the exact messages can vary):

[19-Apr-2008 12:32:38] ntlmsso_finish(): username: administrator, key: 8pVumbsCwp $cf[$key]: administrator
[19-Apr-2008 12:32:38] user_login(): username: administrator
[19-Apr-2008 12:32:38] ntlmsso_finish(): user successfully authenticated. Redirecting to: http://192.168.27.2/moodle/


[19-Apr-2008 12:19:30] ntlmsso_finish(): username: administrator, key: eSYcePFE3s $cf[$key]: administrator
[19-Apr-2008 12:19:30] user_login(): username: administrator
[19-Apr-2008 12:19:30] user_login(): can't find the distinguished name for the user
[19-Apr-2008 12:19:30] ntlmsso_finish(): authenticate_user_login failed

The first block of messages corresponds to a successful NTLM SSO login, while the second corresponds to a failed one. In this particular case, we can't find the distinguished name of the user, so it probably means some configuration error in Moodle LDAP settings.

The messages for the failed logins will help me diagnose what's making the SSO login fail, so please, post them here. Don't worry about the $key value, it has nothing to do with the user password, but you can modify both the username and the key value before posting them here if you feel like it.

Saludos. Iñaki.

ntlm-debugging.diff

Average of ratings: -

Re: SSO with AD2003

by Johnathan Kemp - Monday, 21 April 2008, 5:55 PM

Hello Iñaki,

I followed your reference over from the other message as requested.

I have installed the patch application and attempted to apply the diff file in the

Apache2\htdocs\moodle\auth\ldap

folder as requested.

The first problem came when the installation of patch failed to add

c:\program files\GnuWin32\bin\ to the path environmental variable so patch would not run. I added this to the path variable and tried again using the following string

patch -p3 --binary < ntlm-debugging.diff

The following messages were displayed

patching file auth.php
Hunk #1 Failed at 82.
Hunk #2 Failed at 102.
Hunk #3 Failed at 117.
Hunk #4 Failed at 128.
Hunk #5 Failed at 1798.
Hunk #6 Failed at 1858.
Hunk #7 Failed at 1890.
Hunk #8 Failed at 1923.
8 out of 8 hunks Failed -- saving rejects to file auth.php.rej

Any ideas what went wrong and how to resolve this/

Kind regards

Johnathan

Average of ratings: -

Re: SSO with AD2003

by Iñaki Arenaza - Monday, 21 April 2008, 8:51 PM

Can you attach the auth.php.rej file to this forum so I can have a look at it? Better yet, attach a zip file with both the .rej file and your original auth.php file

Saludos. Iñaki.

Average of ratings: -

Re: SSO with AD2003

by Johnathan Kemp - Monday, 21 April 2008, 10:05 PM

Hello Iñaki,

Since my last posting things have moved on a little but I could not update you as we had lost our internet connection sad

As requested I have attached the .rej and .orig files.

However following the failed patch attempt I took a look at the .rej and .orig files and manually applied the changes to create a patched auth.php file.

I have then set up the error logging as instructed and can provide the following details of a login attempt.

11:55:25 ntlmsso_finish: no sesskey or ntlmsess cache flag not set.

11:55:17 ntlmsso_finish(): user successfully authenticated. Redirecting to: http://cxvl-01.cxstaffs.co.uk/moodle/.

11:55:16 user_login(): username: john.doe.

11:55:16 ntlmsso_finish(): username: john.doe, key: VZpi65JBF9 $cf[$key]: john.doe.

As I've mentioned before - our logins work - the problem is that despite them working we still get an auto login failed message and the user is redirected to the login page, even though in the top right hand corner the message "You are logged in as john.doe (logout)" is displayed.

Let me know what else I can do to help resolve this.

Kind regards

Johnathan

zipTemp.zip

Average of ratings: -

Re: SSO with AD2003

by Zach Young - Tuesday, 22 April 2008, 12:20 AM

I'm having the same issues with SSO. I have applied the patch above. Where do I find the log files for debugging?

Thanks

Zach

Average of ratings: -

Re: SSO with AD2003

by Iñaki Arenaza - Thursday, 1 May 2008, 7:13 AM

Have a look at your PHP settings (php.ini) to see where you are sending your PHP error logs.

Saludos. Iñaki.

Average of ratings: -

Re: SSO with AD2003

by Iñaki Arenaza - Thursday, 1 May 2008, 7:25 AM

This is rather strange. After being succesfully authenticated, you are redirected to the front page (as you should):

11:55:17 ntlmsso_finish(): user successfully authenticated. Redirecting to: http://cxvl-01.cxstaffs.co.uk/moodle/

and then you are back again to auth/ldap/ntlmsso_finish.php (which you shouldn't) and this second time the cache flag holding the user credentials is gone (as it should), so the 'login' fails:

11:55:25 ntlmsso_finish: no sesskey or ntlmsess cache flag not set.

I don't know why you get there for a second time though I'll try to have a look at it and see if I can come up with a plausible reason (and ideally a patch )

Saludos. Iñaki.

Average of ratings: -

Re: SSO with AD2003

by Steve Lovidge - Wednesday, 3 December 2008, 12:53 AM

i have a similar problem. With both ie7and firefox the sso fails at the first attempt. All subsequent attempts are successful, unless the session has timed out. Sometimes it will log in but return to the log in page.

Here are the results of the error logs;

1st attempt

[Tue Dec 02 15:30:07 2008] [error] [client 10.15.33.96] PHP Notice: Undefined property: object::$firstname in /var/www/nexus/lib/weblib.php on line 3741
[Tue Dec 02 15:30:11 2008] [error] [client 10.15.33.96] ntlmsso_finish: no sesskey or ntlmsess cache flag not set
[Tue Dec 02 15:30:14 2008] [error] [client 10.15.33.96] PHP Notice: Undefined property: object::$firstname in /var/www/nexus/lib/weblib.php on line 3741
[Tue Dec 02 15:30:20 2008] [error] [client 10.15.33.96] PHP Notice: Undefined property: object::$firstname in /var/www/nexus/lib/weblib.php on line 3741, referer: http://nexustest.xxxxxxx/nexus/login/index.php?authldap_skipntlmsso=1

2nd attempt

[Tue Dec 02 15:30:23 2008] [error] [client 10.15.33.96] ntlmsso_finish(): username: joeblogs, key: lxNpNPiTK1 $cf[$key]: joeblogs
[Tue Dec 02 15:30:23 2008] [error] [client 10.15.33.96] user_login(): username: joeblogs
[Tue Dec 02 15:30:23 2008] [error] [client 10.15.33.96] PHP Notice: Undefined property: stdClass::$field_updatelocal_username in /var/www/nexus/lib/moodlelib.php on line 2906
[Tue Dec 02 15:30:23 2008] [error] [client 10.15.33.96] PHP Notice: Undefined property: stdClass::$field_lock_username in /var/www/nexus/lib/moodlelib.php on line 2907
[Tue Dec 02 15:30:23 2008] [error] [client 10.15.33.96] ntlmsso_finish(): user successfully authenticated. Redirecting to: http://nexustest.xxxxxxx/nexus/login/index.php?authldap_skipntlmsso=1

Any ideas?

your help would be greatly appreciated.

Cheers, Steve.

Average of ratings: -

Re: SSO with AD2003

by Iñaki Arenaza - Monday, 15 December 2008, 7:15 AM

I really don't know what's going on, but it's a bit strange. Even when you are authenticated correctly, you are redirected to the logging page again with the authldap_skipntlmsso flag set, which you shouln't.

Can you please revert the previous patch (with 'patch -R ...') and try the attached patch? It adds more logging at various places so I can trace the execution of the SSO login.

Thanks in advance.

Saludos. Iñaki.

ntlm-debugging-v2.diff

Average of ratings: -

Re: SSO with AD2003

by Mike Forshaw - Tuesday, 15 April 2008, 9:54 PM

I forgot to mention that we are running v1.9 of Moodle. Just upgraded he other day. Any help would be great.

Thanks alot,

Mike

Average of ratings: -

Re: SSO with AD2003

by Alan Whittamore - Friday, 2 May 2008, 7:07 PM

I too have been wrestling with this NTLM/SSO issue and though I can't explain why, it seems to me that the loginpage_hook function in auth/ldap/auth.php causes it.

Anyway, I have a replacement which works for me - interesting to find out if it works for you too.

function loginpage_hook() {
global $CFG, $SESSION;
if (($_SERVER['REQUEST_METHOD'] === 'GET' // Only on initial GET of loginpage
|| ($_SERVER['REQUEST_METHOD'] === 'POST'
&& (get_referer() != strip_querystring(qualified_me()))))
// Or when POSTed from another place
// See MDL-14071
&& !empty($this->config->ntlmsso_enabled) // SSO enabled
&& !empty($this->config->ntlmsso_subnet) // have a subnet to test for
&& empty($_GET['authldap_skipntlmsso']) // haven't failed it yet
&& (isguestuser() || !isloggedin()) // guestuser or not-logged-in users
&& address_in_subnet($_SERVER['REMOTE_ADDR'],$this->config->ntlmsso_subnet)) {
// First, let's remember where we were trying to get to before we got here
if (empty($SESSION->wantsurl)) {
$SESSION->wantsurl = (array_key_exists('HTTP_REFERER',$_SERVER) &&
$_SERVER['HTTP_REFERER'] != $CFG->wwwroot &&
$_SERVER['HTTP_REFERER'] != $CFG->wwwroot.'/' &&
$_SERVER['HTTP_REFERER'] != $CFG->httpswwwroot.'/login/' &&
$_SERVER['HTTP_REFERER'] != $CFG->httpswwwroot.'/login/index.php' &&
$_SERVER['HTTP_REFERER'] != $CFG->wwwroot."/auth/ldap/ntlmsso_attempt.php")
? $_SERVER['HTTP_REFERER'] : $CFG->wwwroot;
}
// Now start the whole NTLM machinery.
redirect($CFG->wwwroot."/auth/ldap/ntlmsso_attempt.php");
}
// No NTLM SSO, Use the normal login page instead.
// If $SESSION->wantsurl is emtpy and we have a 'Referer:' header, the login
// page insists on redirecting us to that page after user validation. If
// we clicked on the redirect link at the ntlmsso_finish.php page instead
// of waiting for the redirection to happen, then we have 'Referer:' header
// we don't want to be used at all. As we can't get rid of it, just point
// $SESSION->wantsurl to $CFG->wwwroot (after all, we came from there).
if (empty($SESSION->wantsurl)
&& (get_referer() == $CFG->httpswwwroot.'/auth/ldap/ntlmsso_finish.php')) {
$SESSION->wantsurl = $CFG->wwwroot;
}
}

This may not be the ultimate fix but I hope it sheds some light on what's happening!
This was tested on Moodle 1.9 build 20080402.
Alan.

Average of ratings: -

Re: SSO with AD2003

by voodoo voodoo - Tuesday, 6 May 2008, 5:34 PM

I have re installed the latest build and it now ok.

fixed for me, thanks to all !!

Average of ratings: -