On 2007.07.31, Rick Cobb <[EMAIL PROTECTED]> wrote:
> We're getting a lot of requests for real Windows "single-sign-on". That
> is, no sign on at all if the user's already logged into their Windows
> domain. This is for corporate deployments, obviously. The Apache
> community apparently has a module known as "mod_auth_kerb" for this.
AFAICT, mod_auth_kerb uses HTTP Basic auth and the Negotiate auth along
with Kerberos as the authenticator. Does a Windows domain controller
now also act as a KDC?
> Has anybody worked on porting it to AOLServer? NaviServer? We've
> already done LDAP deployments; that's not sufficient for this
> community (since it still requires you to log in to the web server).
Really, what you're asking for is implementation of the HTTP Negotiate
auth. method (aka "Integrated Windows authentication"):
Authentication in WinHTTP
http://msdn2.microsoft.com/EN-US/library/aa383144.aspx
It appears that Windows 2000 and later do support Kerberos, so that's
good to know. Older clients will fall back to NTLM.
I've seen (but never used) libntlm for NTLM auth (as well as Samba,
which I think implements NTLM auth). Kerberos auth on the server-side
should be straightforward to implement.
It'd be really neat to have a Negotiate auth. implementation for
AOLserver. If anyone's already done it, and would be willing to share,
that'd be fantastic.
Otherwise, it's yet another item to add to the ever-growing TODO list.
:-)
-- Dossy
--
Dossy Shiobara | [EMAIL PROTECTED] | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
"He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on." (p. 70)
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]>
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
