search

Legrandin / PyAuthenNTLM2

PyAuthenNTLM2 is an authentication module for Apache. It validates a user by means of the NTLM protocol and a separate Domain Controller (or Active Directory server).
Other
57 stars 42 forks source link

Disabling Basic Authentication #8

Closed kelvinlouis closed 11 years ago

kelvinlouis commented 12 years ago

Hey there,

Is it possible to turn off basic authentication, if the authentication didn't automatically work? I want to suppress the authentication prompt if it didn't work, and show a login screen instead.

Is this possible? Do I have to modify the code?

Thanks

Kelvin

kelvinlouis commented 12 years ago

I tried to make it work by modifying the code, but unfortunately never found a solution to make it work. After reading the security chapter, I wasn't sure anymore if it could work at all. I don't think you can suppress the credentials prompt, because it's up to the browser, how to handle the challenge sent in form of a type 2 message, right?

Legrandin commented 12 years ago

Sorry, I don't fully understand your problem. Are you sure it is specially about Basic authentication, and not about authentication in general? The module allows the browser to pick Basic or NTLM as mechanism, but the dialog will show up in either case. Could you explain more in detail what you are trying to achieve?

kelvinlouis commented 12 years ago

Oh sorry, it's not about basic authentication. I wanted to find a way to suppress the dialog while using NTLM.

Legrandin commented 12 years ago

For any type of authentication, the dialog must be shown at least once. Otherwise, how could the browser know the data necessary for authenticating to the server? After the first time, and if the operation was successful, the browser should cache such data for a certain period of time. Or maybe I still don't get what you are aiming at...

scott-r-lindsey commented 12 years ago

I know what Kevin is asking for because I tried to figure it out myself. He wants to avoid the horrible looking default login prompt for users that aren't using NTML. If the browser is not loaded with credentials already, send the user to a nice looking login page and go from there. But you can't -- the request to the browser for credentials triggers the prompt. :(

kelvinlouis commented 12 years ago

That's exactly what I tried. Using Internet Explorer you had the feeling that the people were automatically sending their credentials, without being challenged first. Technically, this doesn't make sense though, because the client needs to be informed that authentication is required, before it can send the credentials. But I figured out that in IE NTLM Authentication (SSO) was enabled by default, which forces the credentials prompt not to appear, because the browser would send the credentials automatically. Other browsers like Firefox or Chrome have this setting disabled. Unfortunately, I wasn't allowed to change the settings on all the user's browsers.

With that being said, this was very confusing to most of the end users. They didn't know what username and password they had to enter. The users that were in the same network as the server had to enter their Windows login. External users, the ones who connected via a different network, couldn't login at all. For them we had to create users in our application. The fundamental problem still existed though: the prompt always came up for those external users.

So, I created a switch inside a virtual host entry that looked if the user came from a different network. If he did I directed him to our application's login site, without using NTLM authentication. If an internal user tried to access the application, the redirection pointed him to a page where we enforced NTLM authentication. This worked pretty well.