How can I implement single sign-on (SSO) using Microsoft AD for an internal PHP app?
All you need is the mod_auth_sspi
Apache module.
Sample configuration:
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain mydomain
# Set this if you want to allow access with clients that do not support NTLM, or via proxy from outside. Don't forget to require SSL in this case!
SSPIOfferBasic On
# Set this if you have only one domain and don't want the MYDOMAIN\ prefix on each user name
SSPIOmitDomain On
# AD user names are case-insensitive, so use this for normalization if your application's user names are case-sensitive
SSPIUsernameCase Lower
AuthName "Some text to prompt for domain credentials"
Require valid-user
And don't forget that you can also use Firefox for transparent SSO in a Windows domain: Simply go to about:config
, search for network.automatic-ntlm-auth.trusted-uris
, and enter the host name or FQDN of your internal application (like myserver or myserver.corp.domain.com). You can have more than one entry, it's a comma-separated list.
How does single sign-on (SSO) work with PHP + Apache against an Active Directory for transparent authentication?
Authentication is a confusing mess. Here is some background.
LDAP: LDAP is a protocol for communicating user directory information. It can also handle authentication, but it is not seamless (SSO).
NTLM: NTLM is Microsoft's SSO built into IE, ActiveDirectory and IIS. The original version of NTLM is very insecure so NTLMv2 was implemented to fix the security issues in NTLM. The original NTLM is disabled by default in Windows Vista and later.
Kerberos: Kerberos is an open standard that is very secure and is designed to offer seamless (SSO) Authentication. ActiveDirectory supports a version of Kerberos.
As far as the Apache modules that can be used to implement these protocols, you included a pretty good list of them.
mod_ntlm: This is an Apache module that runs on Linux and supports the original NTLM (not NTLMv2).
mod_auth_kerb: This is an Apache module that implements Kerberos.
mod_auth_sspi: This is an Apache module for Windows that supports the original NTLM (not NTLMv2).
Apache2:AuthenNTLM: This is a Perl module that handles NTLM. I don't know if it supports NTLM and NTLMv2.
mod_auth_ntlm_winbind: This is an Apache module that interfaces with Samba's authentication.
Apache2 PHP SSO with Active Directory
I did this yesterday using mod_auth_kerberos. Basic process is as follows:
Install kerberos and configure
On active directory create a new user
Use ktpass on windows to create a keytab
Copy keytab to ubuntu and configure apache to use keytab
Have a look at the documentation here: http://www.grolmsnet.de/kerbtut/. It explains the configuration files better than I ever could.
Ubuntu specific bits are probably just installation, for which you'll want:
sudo apt-get install krb5-user libapache2-mod-auth-kerb
Laravel and Azure ad SSO
The settings were incorrect as mentioned in the comment below the question
Related Topics
Dyld: Library Not Loaded: /Usr/Local/Lib/Libjpeg.8.Dylib - Homebrew PHP
PHP Get Actual Maximum Upload Size
PHP Variable into a Xml Request String
File Not Found When Running PHP with Nginx
Symfony2 Collection of Entities - How to Add/Remove Association with Existing Entities
Most Efficient Way to Do Language File in PHP
Youtube API V3: How to Find a List of Each 'Videocategoryid'
Natural Sorting Algorithm in PHP with Support for Unicode
Send Email with a Template Using PHP
How to Get List of Defined Namespaces
Php: What's the Point of Upload_Err_Ini_Size
Cannot Pass Null Argument When Using Type Hinting
Comparing Bcrypt Hash Between PHP and Nodejs
HTML into PHP Variable (HTML Outside PHP Code)