I created an application witch will be used into domain and I must to make the authentification using user credentials. The user must not enter his credentials manualy. I must somehow to take the username from the target and then to check in Active Directory and then login.
Searching over internet I found that I must to configure the Apache server
I tried installing the mod_authnz_sspi and then in httpd.conf entering current settings
<LocationMatch ^/$>
AuthName "intranet"
AuthType SSPI
SSPIDomain xxx.xxx.xxx.xxx
SSPIAuth on
SSPIOfferSSPI on
SSPIAuthoritative on
require valid-user
SSPIUsernameCase lower
</LocationMatch>
But in the browser appear to enter the username and password witch I don't want that
I also tried installing mod_authn_ntlm but I don't succeded
Can somebody know how to do it? thanks!
You're on the right track using mod_authnz_sspi. Does it work if you type in the username and password? If so, then your server configuration is done.
To make the browser automatically send the credentials of the currently logged on user, the browser needs to trust the website. For IE and Chrome, you must add the website to the Trusted Sites or Intranet Sites in the Internet Options.
Firefox uses its own setting called network.negotiate-auth.trusted-uris, which is a list of sites it trusts for authentication.
Related
Note: Similar questions deal with either Auth0 with Angular or are several years out of date and refer to previous versions.
We're using Auth0 to provide authentication for a group of applications run on Apache with mod_auth_openidc.
The only customization is that mod_auth_openidc is configured to check whether a user has access to a specific application or not via:
<location /app1/>
AuthType openid-connect
Require claim valid_app1:true
</Location>
<location /app2/>
AuthType openid-connect
Require claim valid_app2:true
</Location>
User metadata defined in the Auth0 settings (valid_app1 or valid_app2, etc) defines whether a user can access the applications located at website.com/app1 or website.com/app2, etc.
Currently, the user is correctly redirected to the Auth0 login page when the user tries to access any of the applications, and correctly rejects those users who do not have access to that application.
However on a successful login, the user is redirected to the callback page (defined as the first callback in the Auth0 settings and the OIDCRedirectURI in auth_openidc.conf, e.g. website.com/auth) and not back to the application the user attempted to load.
How do I configure Auth0 with Apache so that a user is returned to the URL of the application they initially attempted to load and not the callback URL?
Good
website.com/app1 > AUTH0 login > website.com/app1
website.com/app2 > AUTH0 login > website.com/app2
Bad
website.com/app1 > AUTH0 login > website.com/auth
You can accomplish this with a few different approaches:
You can register more than one callback/redirect URL within the client application configuration in Auth0 and then each application starts the login process by telling Auth0 the redirect URL associated with it.
You can represent your applications as multiple client applications in Auth0 where each one has a specific callback redirect URL and each application starts the process with that redirect URL.
You can continue to use the same callback URL and then do a second redirect to the final destination. This implies knowing where the user started the process which can be achieved by leveraging OAuth state parameter (this parameter should also be used for CSRF protection, see Using the State Parameter.
Options 1. and 2. are very similar, usually if we talking about conceptually different applications you would go with option 2 and if it's a single application that just wants to have two different ways of processing the callback you would go with option 1..
Finally, option 3 allows a similar thing to what's done in the first option, that is, the same application can conditionally redirect users to different places after login, but does it without the need to register additional redirect URL's in the Auth0 side. It's the application itself that decides where the user goes after processing the login at the callback URL.
My experience with Shibboleth is limited and I have no access to configuration or logs on the IdP or the SP. I am trying to troubleshoot this issue:
Previous Shibboleth session is still active on the client workstation. When attempting to access document protected by the following .htaccess configuration:
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
The client (occasionally) receives the following error message:
Authorization Failed
Based on the information provided to this application about you, you are not authorized to access the resource at "http://myresourcepath"
Please contact the administrator of this service or application if you believe this to be an error
In troubleshooting, I changed .htaccess from
require valid-user
to:
require shib-session
I thought the issue might be the deprecated parameter- but after changing, I was still receiving the authorization failed message. The only way to successfully authorize is to clear the browser cache, revisit the page which then it prompts for authentication, and then authorization passes its check and you hit the page successfully with no error.
What complicates matters even more, is, when .htaccess is set to:
require shib-session
The authorization error message persists even after clearing the cache and re-authenticating. I had to change .htaccess back to
require valid-user
I dont know what could cause the random authorization issue, if the session wasn't valid, the user would get directed to the idp for login, correct? Thats Shibboleth's design. So, the session has to be valid- but why does it not recognize the user as authorized for that resource?
Additionally:
after I received the message and googled quickly, it seems like a stock response from the idp:
https://technical.bestgrid.org/index.php/Vladimir's_general_Shiboleth_notes
says:
This specific example asks for the user variable to be set to any value - and any Shibboleth attribute can be used with the variable name it is assigned to in the Attribute Acceptance policy (AAP.xml). For more syntax on using the require directive, see the examples in the SP htaccess documentation on specific features implemented for the Apache require directive.
Users who do not have the attribute (or do not provide it), get the following error message (with the Shibboleth logo). .... is same message....
This form of control however may not be that user friendly - user would have to know to go either use Autograph to allow the release of the attribute, or talk to their IdP administrator to configure the attributes on the IdP.
Also note that this does not work with lazy sessions - in which case one immediately gets the same error message.
Further, note that care must be taken with overlapping access control blocks. These should be listed from the most-generic ("/") to the most specific (as "/secure" in the above example). Otherwise, the more relaxed settings on the generic one would override the more stringent settings on the specific one.
I am trying to implement the Apache authentication through PKI digital certificates stored on token / smart card.
I'm using XAMPP 5.6.8.0-VC11 on a Windows 7 computer.
Following what I found searching the internet, I uncommented the following settings httpd-ssl.conf file in the Apache configuration:
SSLVerifyClient require
SSLVerifyDepth 10
From there, access to https: // localhost, the browser (IE 11, Chrome 43 and FF 38) display the digital certificate of the screen (use an e-CPF in standard ICP-Brazil, stored in token) and requests the password.
After entering the password and press ENTER, the behavior in browsers is as follows:
In IE, I is shown a page with the message "This page can not be displayed".
In FF, is loading the page indefinitely.
In Chrome, you see the message "Authentication based on certificate failed" ERR_BAD_SSL_CLIENT_AUTH_CERT and clicking on "details" appears:
"This server requires a certificate for authentication and did not accept the one sent by the browser. Your certificate may have expired or the server does not trust the issuer. Try again with a different certificate, if you have one, or you must obtain a certificate valid from somewhere else. "
Already tested several additional settings I found on the internet, but nothing works.
I have also changed the Windows Internet options regarding SSL and TSL, also successful.
I would like to figure out how to implement authentication with digital certificates for a more secure login system that esté in development.
Has anyone experienced this or know how to solve the issue?
What is the purpose of the AuthName directive used within the <Directory></Directory> tag of the httpd.conf file?
AuthName is used when using authentication with Apache. As the documentation says:
The AuthName directive sets the Realm to be used in the
authentication. The realm serves two major functions. First, the
client often presents this information to the user as part of the
password dialog box. Second, it is used by the client to determine
what password to send for a given authenticated area.
In the picture below (from HeliconTech Blog), the AuthName has been set to "secret area".
Might there be a way to set one's .htaccess file to prompt for authentication each time? Example: I open a browser tab, go to the pw protected url, I'm prompted for a pw. Close the tab (main browser still open) and repeat the above and be prompted for the pw again. This is not happening unless I close the browser. Maybe this is a caching thing?
Here's what I have so far:
AuthType Basic
AuthName "myName"
AuthUserFile "/home/myDir/.htpasswds/public_html/myName/passwd"
require valid-user
Thanks in advance.
Actually it is working this way (simplified):
browser sends request to your server without credentials
Apache responses with 403 error because "require valid-user" was specified
browser prompts for username & password
browser sends request again, this time credentials are provided
Apache verifies credentials against AuthUserFile and sets "valid-user" accordingly
if everything is OK - puts out data with 200 status code
browser that receives 200 code caches used credentials for the relevant domain until browser session expires
As you see - problem lays in browser. You cannot force browser to forget password it uses for a domain. And usually you don't want to - for example if password protected page contains images - browser would require username and password for each downloaded image.
However there are some tips you could try:
you could write your own Apache authorization handler that only authorises user every second time it is accessing the page; but it's hard to do really
you could use some kind of form-based authentication (in script like php or asp.net) instead of relying on http authentication; this way is quite flexible
you could do a trick, that every time a protected page is accessed some kind of script changes the password in passwd file; then provide two passwords for each user and switch them on each request; this way browser always remember "wrong" password; it seems crazy but this is an easiest solution I could think of :-)