On May 22, 7:29 am, "Paul Johnston" <[EMAIL PROTECTED]> wrote: > Does anyone here have TG working with integrated Windows authentication? > > I am really struggling with this. I have tried the following: > > 1) Running TG inside IIS using the ASP WSGI gateway. This fails with a COM > error on most requests (although it works for the first request after a > restart). No-one (including the author ) was able to debug this. > > 2) Running TG inside Apache, using mod_python. This relies on mod_auth_sspi > for authentication. mod_auth_sspi is failing (with an error related to > security contexts). Again, no-one (including the author) has been able to > debug this.
Well, I'm "the author" mentioned in solution #1. So I should at least be the one to tell you I use solution #2 in production at work. Here's the relevant segments of my deployment recipe: Install and set up Apache 1. Get the Apache2 msi: http://httpd.apache.org/download.cgi 2. Get mod_python: http://www.apache.org/dist/httpd/modpython/win/ 3. Get mod_auth_sspi: http://www.gknw.net/development/apache/httpd-2.0/win32/modules/mod_auth_sspi-1.0.2-2.0.54.zip Copy mod_auth_sspi-1.0.2/bin/mod_auth_sspi.so to Apache's modules folder. 4. Get misc/modpython_handler.py: http://projects.amor.org/misc/svn/modpython_gateway.py 5. Make a new conf/myapp.conf file. See below. 6. In httpd.conf: Include conf/myapp.conf SSL-enable Apache See http://www.thompsonbd.com/tutorials/apachessl.php 1. Get an openssl binary of Apache2 for Windows: http://hunter.campbus.com/ 2. Copy the executable files (*.exe, *.dll, *.so) from the downloaded apache-mod_ssl distribution over your original Apache installation directory (remember to stop Apache first and DO NOT overwrite your edited config files etc.!). 3. Get openssl binary for Windows: http://gnuwin32.sourceforge.net/packages/openssl.htm 4. Copy the files ssleay32.dll and libeay32.dll from the OpenSSL folder to WINNT\System32. 5. Get openssl.cnf (see link above) and place it into the same folder where you unzipped OpenSSL. Windows will remove the .cnf and will make this file look like a dialup icon. Just ignore it. 6. Get ssl.conf (see link above) and place it in the Apache2/conf directory. 7. Create a certificate. Change "my-server" to whatever you like. * Make a cert request: openssl req -config openssl.cnf -new -out my-server.csr * Remove the passphrase from the private key: openssl rsa -in privkey.pem -out my-server.key * Self-sign the cert: openssl x509 -in my-server.csr -out my-server.cert -req - signkey my-server.key -days 1825 8. Move my-server.key and my-server.cert into Apache/conf/ssl/ (create the ssl folder if needed). 9. In httpd.conf: LoadModule ssl_module modules/mod_ssl.so Include conf/ssl.conf ---- # myapp.conf LoadModule sspi_auth_module modules/mod_auth_sspi.so # Use a PythonImport only if using mpm_winnt. If you're using # prefork (on Unix), you'll have to use a "PythonOption import" # directive to the modpython_gateway handler, or a PythonFixupHandler. PythonImport myapp.http.cpdeploy host.amorhq.net <Location /mcontrol> SetHandler python-program PythonHandler modpython_gateway::handler PythonOption wsgi.application cherrypy._cpwsgi::wsgiApp PythonDebug On #NT Domain auth config AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOfferBasic On SSPIDomain HQAMOR # following line squishes bug #1168 if IE has troubles editing wiki pages. # VERY IMPORTANT for IE clients SSPIBasicPreferred On AuthName "Amor Ministries" Require valid-user </Location> Robert Brewer System Architect Amor Ministries [EMAIL PROTECTED] --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
