Kerberos SSO authentication with Apache on Windows

468 views
Skip to first unread message

François St-Arnaud

unread,
Oct 28, 2014, 12:33:25 PM10/28/14
to waffle...@googlegroups.com
Hello,

I currently have a MediaWiki application running on an Apache HTTPD Windows server.

So, where talking about an PHP application. No Java or Tomcat involved. Running on Windows, not Linux.

Currently, it uses mod_auth_sspi for SSO authentication. My understanding is that this module does NTLM and not NTLMv2, correct?

In any case, I need to move to Kerberos and I was wondering if there was such a thing as an Apache HTTPD Waffle module or if I should be looking for other options.

The two Kerberos Apache plugins I have found seem to work only on Linux:

Other options that come to mind are:
  • Using CAS
  • Switching to IIS
But an Apache Waffle module seems like a sweet idea to me!

Regards,

François




Daniel Doubrovkine

unread,
Oct 29, 2014, 7:14:49 AM10/29/14
to waffle...@googlegroups.com
I haven't tried, but if your Apache sever is running on Windows, http://mod-auth-sspi.sourceforge.net should do the trick.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

François St-Arnaud

unread,
Oct 29, 2014, 4:30:17 PM10/29/14
to waffle...@googlegroups.com
Thanks for your reply Daniel. I appreciate it!

Actually, the module mod_auth_sspi (http://mod_auth_sspi.sourceforge.net) you link to is in fact what we are using today, but I have not been convinced from my readings that this module actually supported Kerberos. I was lead to believe it only supported NTLM not NTLMv2 nor Kerberos, but I may be mistaken. Or is this the whole point of SSPI, to abstract these details away, and use whatever underlying authentication mechanisms (SSPs) configured on the domain (Kerberos by default)?


On Wednesday, October 29, 2014 7:14:49 AM UTC-4, Daniel Doubrovkine wrote:
I haven't tried, but if your Apache sever is running on Windows, http://mod-auth-sspi.sourceforge.net should do the trick.

Daniel Doubrovkine

unread,
Oct 29, 2014, 8:39:41 PM10/29/14
to waffle...@googlegroups.com
Correct. Anything that uses the Windows API would abstract all that away. If that doesn't exist for Apache, I'd be shocked. But frankly when it didn't exist for Tomcat I wrote Waffle :) So, if it doesn't exist, implement it and contribute that to Waffle.
Reply all
Reply to author
Forward
0 new messages