Transparent Authentication

On an intranet users will often have already been authenticated against their central login server, and it's just annoying to force them login again, sometimes using a different name & password, in order to use TWiki. Wouldn't it be nice if we could just use the existing authenticated session? (Also referred to as SingleSignOn)

Background

TWiki supports a range of different authentication methods. These are:

1. Pure TWiki authentication (no other authentication system is involved)
   • a.k.a TemplateLogin
   • TWiki uses it's own .htpasswd file, and handles all password negotiation itself.
   • TWiki uses cookied sessions to remember user logins.
   • Mainly used when TWiki stands alone (isn't integrated with any other applications)
2. Apache authentication
   • a.k.a ApacheLogin
   • TWiki uses the REMOTE_USER environment variable, which is set by an apache module, to recognise the user.
   • Any Apache login module that sets REMOTE_USER can be used.
   • This is the usual login method used on intranets.
3. Homebrew login
   • Any third-party login system can be used by writing Perl login and password management modules to integrate with TWiki
   • Example: LdapContrib
   • Use if there is no Apache module available to support your login system, or you want a tighter integration.

The rest of this page discusses methods for transparent authentication based on the Apache authentication approach.

On Unix, authenticated against a Windows domain

Using NTLM

• http://modntlm.sourceforge.net/ - NTLM auth module for Apache/Unix
  • the code is quite old and doesn't appear to be maintained. I couldn't get it to work in a multi-domain environment (server is in DOM2, users are authenticated against DOM1) -- MattWilkie
  • the Unofficial MOD_NTLM Apache Module is reported to work with multiple domains and Apache2 -- MattWilkie - 12 Apr 2006

• NTLM works perfectly for me, using mod_ntlm and Apache 1.3, authenticating against a Windows 2003 server. I did have to remove a few "static" declarations from the source file of mod_ntlm to compile successfully on my Ubuntu server. Once I did that it worked transparently on IE.
  • You can make Firefox do NTLM transparently as well, by following these instructions.
  • Note that I had no luck getting mod_ntlm2 built against Apache 2.0. Luckily Ubuntu has both Apache 1.3 and 2.0 available.
  • Note also that after enabling NTLM, I needed to do a few final steps to get the logon name to map to WikiName properly. First I had to rewrite my TWikiUsers page. The default version only included the user WikiName instead of WikiName - WindowsLogonName. Then I switched to the version of the TWikiRegistration page that asks for your network logon name. Finally I edited TWiki.cfg and set doMapUserToWikiName to "1". Note this is apparently a security risk but I'm on a small intranet so am not too worried.
  • -- BillyCharlton
• There is a report that http://search.cpan.org/~speeves/Apache-AuthenNTLM-2.10/ works more easily than the apache module for Apache2. Using it would require modifying the twiki bin scripts or creating a plugin. -- MattWilkie - 12 Apr 2006
• I was not able to get ntlm authentication to work on a 64 bit linux with Apache 2. Compilation of mod_ntlm gave lot's of errors of mismatching pointer sizes etc, but got eventually compiled afer removing the same few "static" declarations as others had to do. The installation did not work either because compilation did not produce .so, but an .slo. I Installed the mod_ntml with apxs -i -a -n 'ntlm' mod_ntlm.la. When I start apache after this, it crashes with segmentation fault.

Using PAM and SMB

Generic

It works great, but not transparently. Doesn't suffer from the performance issues that PAM and Winbind does. For installation use the same procedure and modules as in Using PAM and Winbind below, but use the following configuration instead.

Overall authentication with Apache is forwarded to PAM using the Auth_PAM module. Here is a sample from httpd.conf:

<Directory "/home/twiki/bin">
    AllowOverride None
    AuthPAM_Enabled on
    AuthName "Documentation Center"
    AuthType Basic
    Require valid-user
    SSLRequireSSL
    Options ExecCGI
    Order allow,deny
    Allow from all
</Directory>

Next, add a SMB module to PAM ( pam_smb_auth.so ) and changed the /etc/pam.d/httpd entry to:

auth       sufficient   /lib/security/pam_smb_auth.so nolocal debug
account    optional   /lib/security/pam_permit.so

Note: auth and account 'required' also work.

Lastly, the PAM SMB module requires a config file ( /etc/pam_smb.conf ) with the domain on the first line, and the IP of the PDC on the following line. (Note: you can also use the NETBIOS name of the PDC if nmbd is running and configured properly).

MYDOMAIN
MYPDC
MYBDC

When you login, don't use the DOMAIN+username syntax that winbind uses, just username.

Troubleshooting tip: SSH or telnet in to your linux machine and run: tail -f /var/log/apache/error.log and then point a browser at twiki.

Adapted from GettingWindowsLoginPassedToTwiki. Thanks go to RussellAdams.

Using PAM and Winbind

Solaris

See http://us4.samba.org/samba/ftp/docs/textdocs/Solaris-Winbind-HOWTO.txt

Redhat

See http://us1.samba.org/samba/docs/man/winbind.html .

Debian

It was working, but then I broke it somehow, and now it's working again but I don't exactly why. As near as I can tell, in order to get it working you need to :

1. install samba, winbind, libapache-mod-auth-pam more or less as detailed below.
2. enable mod-auth-pam in $twiki-bin/.htaccess
3. do something which forces Twiki authentication, e.g. edit a page
4. now you can disable $twiki-bin/.htaccess and transparent authentication will work (for an unkown length of time).

Update: I had $doRememberRemoteUser turned on in Twiki.cfg . With this turned off, you once again need to have .htaccess enabled all the time. So, the end result is authentication via PAM and Winbind works, but not transparently. -- MattWilkie - 27 Aug 2002

---

Once more unto the breach: I've mustered the resolve to take another crack at this. I have pam+winbind+apache authentication working (not transparently), but it is vveeerrrrry sllooowwwww. Authentication takes 60+ seconds on every page read. Winbind authentication requests via SSH and SAMBA take less than 5 seconds. Yuk.

/var/log/auth.log:

Feb 10 09:57:44 BUMBLEBEE sshd[14312]: PAM pam_parse: expecting return value; [...sufficienti]
Feb 10 09:57:48 BUMBLEBEE pam_winbind[14312]: user 'ynet+mhwilkie' granted access
Feb 10 09:57:48 BUMBLEBEE pam_winbind[14312]: user 'ynet+mhwilkie' granted access
Feb 10 09:57:48 BUMBLEBEE sshd[14312]: Accepted password for ynet+mhwilkie from 199.247.173.70 port 1424 ssh2
Feb 10 09:57:48 BUMBLEBEE PAM_unix[14314]: (ssh) session opened for user ynet+mhwilkie by (uid=10000)
these lines correspond to logging in from remote via ssh, using winbind for authentication. Elapsed time: 4 seconds, including the time it takes to type my password.

Feb 10 09:59:03 BUMBLEBEE sshd[14314]: PAM pam_putenv: delete non-existent entry; MAIL
Feb 10 10:02:29 BUMBLEBEE PAM_unix[14316]: (samba) session opened for user ynet+dpdavids by (uid=0)
these lines correspond to accessing \\bumblee\a_share\ by another user. Elapsed time: 4 seconds.

/var/log/apache/error.log:

[Mon Feb 10 10:09:08 2003] [error] [client 199.247.173.70] File does not exist: /var/www/bin/oops/TWiki/TWikiRegistration
corresponds to pointing a browser at $twiki/bin/view/Sandbox/WebHome. Response time: instantaneous. The user is prompted with a login dialog.

[Mon Feb 10 10:10:24 2003] view: print() on closed filehandle TWiki::Store::FILE at ../lib/TWiki/Store.pm line 667.
some 70 seconds later. This corresponds to Sandbox/WebHome finally being displayed. %REMOTE_USER% corresponds to the authenticated username.

/var/log/auth:

Feb 10 10:09:22 BUMBLEBEE apache[14233]: PAM pam_parse: expecting return value; [...sufficienti]
Feb 10 10:09:23 BUMBLEBEE pam_winbind[14233]: user 'ynet+mhwilkie' granted access
Feb 10 10:09:24 BUMBLEBEE pam_winbind[14233]: user 'ynet+mhwilkie' granted access
This what shows up in the auth log for the same browser request.

-- MattWilkie - 11 Feb 2003

this blockquote section probably contains erroneous information, use with caution

I've finally gotten this to work on a debian machine within a Windows NT domain and it's fast, smooth & painless. Not the setup, the setup was hell, but it sure works lickity split after that.

Packages installed (first indented bullet = required, second level bullet = not sure, but I installed it anyway):

• apache w/ apxs (apache-dev)
  • libapache-mod-auth-pam
• Samba 2.2.2 or later
  • libpam-smb
• winbindd
  • libauthen-smb-perl

Debian is v3.0.r0 using stable, main, contrib, testing in my apt sources config.

The packages were installed with the command:

apt-get install samba libpam-smb winbindd apache-dev libapache-mod-auth-pam libauthen-smb-perl

Note: I actually installed samba and got it working seperately a few days before

I used the document /usr/share/samba/swat/help/winbind.html as my guide for configuration. Read the whole thing for understanding but you can skip ahead to the Configure nsswitch.conf and the winbind libraries section:

• skip the cp and ln commands (Use locate winbind to ensure pam_windbind.so is indeed in the right location. If not, run updatedb and then locate again. If it is still not there you'll have to start digging to find out what went wrong)
• do edit /etc/nsswitch.conf. Mine looks like this (only changed lines shown):

     passwd:         compat winbind
     group:          compat winbind
     shadow:         compat
     

• do the ldconfig step

Configure smb.conf

• I just used the example verbatim

Join the SAMBA server to the PDC domain

• skipped this step because it was already completed a few days before

Start up the winbindd daemon and test it!

• no changes from the doc's instructions

Fix the /etc/rc.d/init.d/smb startup files

There is no need to do anything here. The debian startup script is /etc/init.d/winbind . Test by running /etc/init.d/winbind restart && ps -ae |grep winbind

Configure Winbind and PAM

Didn't use any of the examples in this section, except for understanding.

My /etc/pam.d/httpd looks like:

auth    required      pam_winbind.so
account required      pam_winbind.so
#auth    sufficient      pam_unix.so use_first_pass
#account sufficient      pam_unix.so

I did not change any other pam.d files.

---

This completes the winbind setup. The only thing remaining to do is point your browser at http://.../view/TWiki/TWikiVariables. If everything is working your % USERNAME% should look like DOMAIN+mhwilkie . If that is the case, go delete or rename ../bin/.htaccess because you don't need it anymore.

-- MattWilkie - 22 Aug 2002

AAaaaRgh! It worked flawlessly for about 4 hours and then started reporting USERNAME as "guest" for everybody across the board. yech.

-- MattWilkie - later on 22 Aug 2002

On Windows, in a Windows domain

CygWin

• CygwinAuthentication (in development, not proven)

WindowsIIS

• CookbookWindowsIISSetup - Microsoft Information Server authentication (proven to work)

Apache

• WindowsInstallModNTLM - Apache modules (mod_ntlm and mod_auth_sspi) to authenticate against an NT Domain server.
  • ntlm: (apache 1.3) works, there are major performance issues in some configurations. This module has good quality code but is not maintained
  • sspi: (apache 2.0) proven to work, code is maintained, no speed issues so far
    • Since mod_auth_sspi no longer has binaries available for latest apache versions I have compiled one against apache 2.0.46 for those without access to MSVC can be found at http://www.firepages.org/public/mod_auth_sspi-apache2046.zip -- Main.SimonWheeler - 22 June 2003
    • WindowsInstallModNTLM has an additional source for sspi binaries -- MattWilkie 30 Jul 2003
• Apache (Cygwin or Unix) with mod_auth_kerb
  • I have managed to get transparent TWiki authentication running for clients from a Windows2003 domain using mod_auth_kerb. This needed some patches which are unlikely to make it into DakarRelease, so no cookbook yet. More a proof of concept, and a guideline for me where to go with future contributions.
    -- HaraldJoerg - 15 Nov 2005

-- MattWilkie 23 Aug 2002, 05 Nov 2002, 30 Jul 2003

-- Contributors: MattWilkie, RichardDonkin, CrawfordCurrie, HaraldJoerg, SimonWheeler

---

Comments

A writeup on how to use windows 2000/2003 active directory to authenticate and auto-populate twiki registeration details would be a great addition for many

-- SibiJoseph - 20 Mar 2007

I setup mod_auth_kerb to a Win2k3 domain. The apache lines are thus:

AuthType Kerberos
KrbAuthRealms MYDOMAIN.COM
KrbServerName HTTP
Krb5Keytab /path/to/my/keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
require valid-user

This will send the user credentials on. You need to use LdapContrib to handle the rest, but I don't have that working yet.

-- ScottJaffa - 01 Nov 2007

I use mod-auth-kerb to transparently authenticate with Windows 2003 as well. With a couple of plugins the registration details seem to flow into the right place. I'm working on a writeup at Windows2003Authentication.

-- MattEverson - 06 Dec 2007

---

Related Links

TWiki Links:

• SsoLoginContrib - SSO login contrib package for cookie based SSO authentication with auth tokens
• BlogEntry201206x1 - How to: Single Sign-on, a Convenient Way to Authenticate Users
• TWikiUserAuthentication - the normal twiki way of authenticating users
• WindowsInstallModNTLM - another Apache module to authenticate against an NT Domain server (this is the one which works transparently for IE users)
• NtlmForSolaris10 - Cookbook on how to get the mod_ntlm Apache module working with Solaris. Includes pre-compiled binaries for Solaris. Most information mentioned here also applies to other Unices.
• ForgettingPasswords - general discourse on the problem
• CookbookWindowsIISSetup - Microsoft Information Server authentication
• search for 'authen' topic names across all webs

External Links:

• http://www.geocities.com/rozmanov/ntlm/ - Python-based proxy for NTLM authentication (over HTTP) to IIS web servers and MS Proxy
• http://www.innovation.ch/java/ntlm.html - documentation of the NTLM over HTTP protocol
• http://devel.squid-cache.org/ntlm/ - Squid's implementation of NTLM over HTTP

Some more general links:

• http://directory.google.com/Top/Computers/Security/Authentication/ - some good sites
• http://library.smc.edu/rpa.htm - huge set of articles on many types of authentication, including NTLM, SMB, Kerberos, LDAP, etc.