Single Sign On Active Directory

Next topic

Author	Message
Michael Hall	Monday 03 March 2008 4:47:00 am We're considering implementing an eZpublish intranet built on a RedHat server, located on a Windows 2003 Network. Current intranet solution is IIS/VBscript/.NET. Management have made it clear that single sign on has to stay. Meaning that once a user logs on to a computer, no further logins are required to access the intranet. Just as importantly, we need to be able to build a profile of that user (eg name, groups, email address, preferences) out of AD, probably using a Kerberos UPN or similar as user ID. Also, we don't want to have to replicate and maintain a user database/directory separate from Active Directory. I'm aware of the various technologies and HTTP server requirements involved (Kerberos, LDAP, mod_auth_kerb etc). I'm wondering if the SPNEGO Integrated Windows Authentication described here ... http://ez.no/developer/open_funding/suggestions_for_new_functionality/signal_sign_on_active_directory/we_ve_done_something_similar ... does this, or comes close? Has anyone had any experience with it?
Gaetano Giunta	Monday 03 March 2008 10:43:15 am The most annoying drawback of using sso with apache auth and spnego is the fact that auth is not controlled by php anymore but directly by apache. This means eg. that it is quite hard to have an intranet site that can be browsed at the same time by authenticated users or by anonymous ones. If apache sends the kerberous auth challenge to the browser and the browser does not have an ad ticket, it will pop up the password dialog to the end user without php ever having had a chance to intercept any request. If otoh all your clients are authenticated, this is not a big problem. The spnego extension you mention can be of use (in fact it is a very general mechanism that can be used with any apache based auth, not only with spnego or ad), but it only tackles the 'recognizing an authenticated user' part. You should add extra effort in eg: - disabling user/logout and user/login views - either importing your ad users into ezpublish via batch processes or making sure they are imported on-demand at the time of their first login (it is quite hard right now to have eZ Publish working with a 100% external user base. Most of the external auth solutions rely on still having a user object inside eZ for every external user) - mapping permissions/group membership from AD into eZ Publish. The ldap user php class that is provided in the standard eZ distribution is probably more interesting in that aspect Principal Consultant International Business Member of the Community Project Board

Author

Message

Monday 03 March 2008 4:47:00 am

We're considering implementing an eZpublish intranet built on a RedHat server, located on a Windows 2003 Network. Current intranet solution is IIS/VBscript/.NET.

Management have made it clear that single sign on has to stay. Meaning that once a user logs on to a computer, no further logins are required to access the intranet.

Just as importantly, we need to be able to build a profile of that user (eg name, groups, email address, preferences) out of AD, probably using a Kerberos UPN or similar as user ID.

Also, we don't want to have to replicate and maintain a user database/directory separate from Active Directory.

I'm aware of the various technologies and HTTP server requirements involved (Kerberos, LDAP, mod_auth_kerb etc).

I'm wondering if the SPNEGO Integrated Windows Authentication described here ...

http://ez.no/developer/open_funding/suggestions_for_new_functionality/signal_sign_on_active_directory/we_ve_done_something_similar

... does this, or comes close? Has anyone had any experience with it?

Gaetano Giunta

Monday 03 March 2008 10:43:15 am

The most annoying drawback of using sso with apache auth and spnego is the fact that auth is not controlled by php anymore but directly by apache.

This means eg. that it is quite hard to have an intranet site that can be browsed at the same time by authenticated users or by anonymous ones. If apache sends the kerberous auth challenge to the browser and the browser does not have an ad ticket, it will pop up the password dialog to the end user without php ever having had a chance to intercept any request.
If otoh all your clients are authenticated, this is not a big problem.

The spnego extension you mention can be of use (in fact it is a very general mechanism that can be used with any apache based auth, not only with spnego or ad), but it only tackles the 'recognizing an authenticated user' part. You should add extra effort in eg:
- disabling user/logout and user/login views
- either importing your ad users into ezpublish via batch processes or making sure they are imported on-demand at the time of their first login (it is quite hard right now to have eZ Publish working with a 100% external user base. Most of the external auth solutions rely on still having a user object inside eZ for every external user)
- mapping permissions/group membership from AD into eZ Publish. The ldap user php class that is provided in the standard eZ distribution is probably more interesting in that aspect

Principal Consultant International Business
Member of the Community Project Board

eZ debug

Timing:	Jan 31 2025 08:18:04
Script start
Timing:	Jan 31 2025 08:18:04
Module start 'layout'
Timing:	Jan 31 2025 08:18:04
Module start 'content'
Timing:	Jan 31 2025 08:18:04
Module end 'content'
Timing:	Jan 31 2025 08:18:04
Script end

Main resources:

Total runtime	0.0147 sec
Peak memory usage	2,048.0000 KB
Database Queries	3

Timing points:

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0048	588.1328	151.2109
Module start 'layout'	0.0048	0.0025	739.3438	36.6484
Module start 'content'	0.0073	0.0058	775.9922	90.1406
Module end 'content'	0.0131	0.0016	866.1328	33.9922
Script end	0.0147		900.1250

Time accumulators:

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0023	15.9247	14	0.0002
Check MTime	0.0010	7.0402	14	0.0001
Mysql Total
Database connection	0.0009	6.0078	1	0.0009
Mysqli_queries	0.0022	14.8242	3	0.0007
Looping result	0.0000	0.0746	1	0.0000
Template Total	0.0012	8.2	1	0.0012
Template load	0.0009	6.0710	1	0.0009
Template processing	0.0003	2.0582	1	0.0003
Override
Cache load	0.0006	4.0452	1	0.0006
General
dbfile	0.0016	10.7839	8	0.0002
String conversion	0.0000	0.0551	4	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

Usage	Requested template	Template	Template loaded	Edit	Override
1	print_pagelayout.tpl	<No override>	extension/community/design/community/templates/print_pagelayout.tpl
Number of times templates used: 1 Number of unique templates used: 1

Time used to render debug report: 0.0001 secs