Home / server / Questions / 406288
In Process
Florian Fankhauser
Asked: 2012-07-11 00:07:23 +0800 CST

Integrated Windows Authentication with Apache HTTP Server on Linux

  • 772

What is the best way to enable Integrated Windows Authentication for a PHP web application running on Apache2/Linux? There is a Windows Domain Controller in the network which should be used for authentication.

I found these apache modules:

But these modules seem to be very outdated (last updated 2007/2008). Is there a better, more up-to-date way to do this?

linux apache-2.2 kerberos integrated-authentication

3 Answers

  1. I believe WDC speaks LDAP, in which case you probably want mod_authnz_ldap instead.

    • 2

  2. The best option is mod_auth_sspi, it's reasonable up to date, most recently released in 2011.

    I used mod_auth_sspi 1.0.4 with apache 2.2.9 on Windows Server 2003 and it works fine for Windows XP clients. They get logged in automatically. Here is my config, note that you don't need the SVN bit, but you can see how to restrict to specific groups.

    # Set that only Domain Users can access this whole server
LoadModule sspi_auth_module modules/mod_auth_sspi.so
LoadModule dav_module         modules/mod_dav.so
LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so
LoadModule rewrite_module modules/mod_rewrite.so

<LocationMatch />
    AuthType SSPI
    AuthName "Windows Authentication"
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain dmn.example.com
    SSPIOmitDomain On 
    SSPIOfferBasic Off 
    SSPIUsernameCase lower
</LocationMatch>

<LocationMatch /trac>
    Require valid-user
</LocationMatch>

# Share subversion repos under http://grp-svn:/svn/REPO_NAME
# We need developers to have read and write access and app support and prod support to have read only.
# The front office dev team also have access.
<Location /svn>
    DAV svn
    SVNParentPath D:\GRP-Data\svn\repos
    <Limit GET PROPFIND OPTIONS REPORT CHECKOUT>
        Require group "DMN\\GRP-DEV" "DMN\\GRP-SKY Production Support" "DMN\\FS_Sky_RO_DL" 
    </Limit>
    <Limit POST PUT DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK VERSION-CONTROL REPORT CHECKOUT CHECKIN UNCHECKOUT MKWORKSPACE UPDATE LABEL MERGE BASELINE-CONTROL MKACTIVITY ORDERPATCH ACL PATCH SEARCH>
        Require group "DMN\\GRP-DEV" "DMN\\AS_Apache FO_C_DL" 
    </Limit> 
</Location>
    • 0

  3. I've spent a few hours searching here and there, and finally found the solution.

    There is no need to install/enable any apaache modules.

    As per the Integrated Windows Authentication Documentation, a response header from your webserver is all what you need.

    If you set the WWW-Authenticate header in your virtual host configuration, and the server responds with HTTP/1.1 401 Unauthorized, the client will retry the request with Authorization header line contains the base64 encoding of an InitialContextToken.

    In your vhost.conf add the header Header set WWW-Authenticate 'Negotiate'

    Don't forget to enable the headers module a2enmod headers && service apache2 restart

    Have a look on this document.

    • 0