Intranet website authentication using windows logon - windows

I'm building an internal website in Perl and I would like to get it to use Windows credentials for authentication. My research so far has turned up a lot of keywords: Kerberos, LDAP, NTLM, etc, but no solid information. Anyone got pointers or good tutorials?
Thanks.

Are your servers part of a Microsoft Active Directory?
Active Directory is LDAP-compliant. Therefore, you can setup LDAP to authenticate your users
Are you using Apache? If so, there is a module that allows you to authenticate to an Active Directory directory: mod_ auth_sspi
Finally, Microsoft has created Active Directory Service Interfaces (ASDI) to solve these types of problems. There is a lot of information at MSDN. For example, this is how the open-source Hudson CI server authenticates to Active Directory.
I hope one of these suggestions help you.

We've been using Mod NTML for Apache. It fetches the windows credentials of the user logged in. But you're probably not interested in the SSO?
http://modntlm.sourceforge.net/

I've been looking into this topic myself. I'm still not sure what the right answer is because the topic is out of my domain of knowledge & experience. But here are some possibilities that I've come up with by searching the Internet:
An Apache LDAP module: http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html
A Perl Module for Apache LDAP authentication: Apache2::AuthNetLDAP
NT authentication using an Apache Perl Module: Apache2::AuthenSmb
Using NIS for Apache user authentication: http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html#NIS
An article describing ActiveDirectory authentication using Apache: http://www.le.ac.uk/cc/sh23/adldap.html
An open source ActiveDirectory solution from a business: http://www.likewise.com/

For Tomcat on Windows you can use Waffle, both SSO and form-based/basic/digest auth.

Related

ADFS on premises with Laravel and generation of Metafile

I've requirement of configuration of ADFS on premises with an Laravel application. In first I understood that it may be ADFS Azure but we had clarification that they don't need it with ADFS azure but ADFS on premises. ADFS on premises is new to me i don't have idea how that can be used with Laravel.
As part of requirement they told me I need to generate some meta file i am using https://github.com/aacotroneo/laravel-saml2 it has route to generate metafile but dont understand if that will do the work.
After some searching i found a blog https://adsy2010.blogspot.com/2018/04/laravel-simplesaml-with-adfs-setup.html which explains the same
But I didn't understand from where we can use ADFS console.
Any help on this would be appreciated.
Thanks in Advance
Open Server Manager on the computer that is running AD FS.
Choose AD FS
Tools
AD FS Management
or just search for "Active Directory Federation Services" in the Windows search panel.

Setup authorizers.xml for secured Nifi server

I am trying to setup a simple https security using certificates for my Nifi server. I am able to setup the secure connection by setting
nifi.security.keystore=.../nifiuser.jks and installing certifcates etc.
When I access through Web UI , i get :
No applicable policies could be found. Contact the system administrator.
I think i need to configure "authorizers.xml" but I dont know how. I just want "nifiuser" to have all admin rights.
Please help! Thank you
There are a lot of docs and posts that describe how to do this:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizer-configuration
https://bryanbende.com/development/2018/10/23/apache-nifi-secure-cluster-setup
https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/

Azure and IIS Windows Auth

I would appreciate any help that can be offered. I would like to achieve the following in Azure and having tried various tutorials using lots of different configurations I am still unable to achieve what seems quite simple.
I would like to set the default IIS homepage on an Azure VM to use Windows Authentication. I would like to Add a user or group from my local on-premise Active Directory, which is linked to an Azure Active Directory using 'Azure AD Connect'. Finally I would like to login to a client machine on my local on-premise Active Directory, and be able to browse to the Azure VM IIS default homepage without having to enter a username and password, as I am already authenticated having logged into the local Active Directory.
I am happy to try various setups and scenarios, so if you can help please shout up.
Thanks
Andy

Auto sign on with Windows Authentication

I am to be having a lot of problems, misinformation and confusion when attempting to find out the plausibility and viability of attempting this.
The requirement is for a remote client, accessing our website to be auto signed in with their Active Directory User account.
We have the option to setup a WCF service (or something similar) on their remote server for authentication purposes. Which from my little understanding is how this problem will be tackled.
So, my question after a little background is this.
CAN this be done, and HOW can it be done?
Instead of hosting a WCF service on their domain, I would look into installing ADFS on their domain.
You can change your website to accept security tokens from ADFS using the WS-Federation protocol. You can use classes from the System.IdentityModel namespace for that. An example of how to implement this in ASP.NET can be found here.
An alternative would be to use Azure Active Directory as your identity provider and have your client sync accounts to their AAD directory (or federate between AAD and ADFS). An example can be found here.

Login without username and password from the web browser on Windows

I heard that on Windows you can login from a web browser to the web server without going through the usual login entering username and password but using instead the credentials from Windows directly, using the NTLM protocol.
How is this achieved? Does the web server need to support some additional authentication?
Update: I'm asking for a generic web server, not just IIS. How to do that on Apache for instance?
The webserver just needs to be configured to support Windows authentication (which will be NTLM, or - better - Kerberos if both client and server are W2K or later). I believe that IIS or Apache can be configured to do that.
The browser also has to support this - at least IE does so (not sure about the others, it may be possible). edit: looks like firefox has some support for this too, and safari on MacOS
edit: for details on apache, google modules for NTLM authentication. Kerberos modules also exist. as per other answers, this really only works on an Intranet - not just because the browser needs to be in an Intranet zone (only applies to IE), but because any intervening firewall will typically stop this working, and because the necessary interdomain trusts will probably not exist. It's also a bit trickier to make work if the apache server is on UNIX, and especially if you also have Kerberos servers on UNIX in the mix, but still possible.
It will only be seamless in a specific situation; namely the webserver needs to support NTLM (for example, IIS), and it needs to be in a zone that the client is configured to trust (The "Intranet Zone" in IE parlance, unless the end user has tweaked their settings)
If your webserver and client pc's are on a network secured by Active Directory or similar, you can set 'Windows Integrated Security' in IIS on the web server for the website which automatically logs in all I.E clients (That are allowed).
As stated previously, NTLM is typically used if your back end is Windows Managed (MS Active Directory). However, there are also modules available for Apache that will tie into this: mod_ntlm.
Since this is it's own protocol, it is required that the browser is able to understand this protocol and reply to the authentication challenges. I don't know which browsers support this off hand, but my assumption would be that most do.
From my experience, kerberos is more of a prefered method, but I have not worked with it much, so unfortunately, I don't have much advise as far as that goes.
On a side note, I recall reading somewhere that the JRE also has ways of tying into NTLM on your web server in order to obtain identity information for the authenticated user. As stated previously, .NET has support for this as well.
Also, Firefox does not support NTLM by default but it can be configured using the following tut: http://www.crossedconnections.org/w/?p=89
If you set the IIS settings to require authentication then your users will need to log in to access the page. They then have any rights (if not an interface) to anything on that server that they would if they logged in the normal way (from the console).
Other than this, I am not sure what you are referring to.
Yes this is possible. It is often used in intranet applications where users are. windows uses NTLM or Kerberos to authorize the user against a central service, typically Active Directory on the windows platform. On the .NET platform the current user information can be accessed through the System.Threading.Thread.CurrentPrincipal.Identity instance.
You might also want to look into Jespa. It seems a little bit more straight forward than Kerberos but provides good ntlm sso capabilities.
I was looking for more information about Kerberos (because NTLM, even v2, become deprecated with AD 2008), and I found this article, explaining how make it work with Apache (as you mentionned it).
http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/
This question is probably outdated (or at least solved), but if it can help someone ...

Resources