IIS 7.5 + LDAP + SSO Windows Authentication -Active Directo

All about webserver configurations, PHP and databases.

Moderator: Thorsten

JonM
Posts: 6
Joined: Fri Nov 01, 2013 1:12 pm

IIS 7.5 + LDAP + SSO Windows Authentication -Active Directo

Post by JonM »

Hi Guys

I'm having some very odd issues with phpMyFAQ Ver 2.8.7 and AD Authenticiaion

I've setup the system to use LDAP ( Active Directory) and with just this on, ( with $PMF_LDAP['ldap_use_domain_prefix'] = false; I can login with any AD account just fine, and the system creates the user in the database so I can increase the access rights as required.

I have set the config to Complete secured FAQ so only authorised users can login, but this doesn't make any effect to the issues below, I can leave it on or off and get the same issue.

I've also setup SSO via windows Authentication, which is were the system starts behaving in an odd way.

If I log in with a user that has already logged in via LDAP ( eg my primary AD Login) and is a user within phpMyFAQ then system signs me in correctly, with my AD username etc, so the system looks like its working perfectly.

But when a new user access's the page, it lets them access the system but the UserContolPanel shows blank info, and the user doesn't get added to the Users list. The system shows the logins as Guests

I've created a phpinfo file and the Server"Login_User" is passing the domain\samAccountName to PHP.

I've tried adjusting the LDAP settings to either include or exclude ['ldap_use_domain_prefix'] = false; but this also makes no difference.

If I can get this working it will solve a huge range of issues, but I need it to use AD SSO to be any use to end users and back end staff, as we need to track who puts in what requests, which without both LDAP and SSO working I can not do.

Any suggestions of what to look at would be appreciated.

Regards

Jon
JonM
Posts: 6
Joined: Fri Nov 01, 2013 1:12 pm

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by JonM »

Is anyone else having this issue

When I turn on DEBUG i get

phpMyFAQ warning [2]: in_array() expects parameter 2 to be array, boolean given in C:\inetpub\wwwroot\itservices\index.php on line 158

whenever I log in a new user.

Appreciate any help/pointers given

Regards

Jon
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by Thorsten »

Hi,

your SSO info is in $_SERVER['Login_User']? We check the value REQUEST_USER, maybe that's the issue.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
JonM
Posts: 6
Joined: Fri Nov 01, 2013 1:12 pm

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by JonM »

Hi Thorsten

I've looked in the phpinfo.php ( which I've just created) and I have the following values

_SERVER["REMOTE_USER"] AD\Jon
_SERVER["LOGON_USER"] AD\Jon
_SERVER["AUTH_USER"] AD\Jon

Where Jon is my AD User and AD is my domain name.

I can't see REQUEST_USER within the phpinfo, so am unsure as to what I should be looking at.

Regards

Jon
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by Thorsten »

Hi,

sorry, we use REMOTE_USER and your username should work:

https://github.com/thorsten/phpMyFAQ/bl ... so.php#L85

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
jprokop
Posts: 1
Joined: Sat Mar 08, 2014 11:46 am

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by jprokop »

The exactly same behavior.

My configuration:

LAMP server linux, apache configured to authenticate against AD (Kerberos) and working

logged user is in REMOTE_USER in form user@DOMAIN.COM

for sso was a small hack necessary:

in inc/PMF/User/ CurrentUser.php:

Code: Select all

 public function login($login, $password)
    {
        $optData = array();
        if (isset($this->_ldapConfig['ldap_use_domain_prefix'])) {
            if (($pos = strpos($login, '\\')) !== false) {
                if ($pos !== 0) {
                    $optData['domain'] = substr($login, 0, $pos);
                }

                $login = substr($login, $pos + 1);
            }
        }
        //hack for format user@DOMAIN.COM
         if (($pos = strpos($login, '@')) !== false) {
                if ($pos !== 0) {
                    $login = substr($login, 0, $pos);
                }
         }
....
is the function adduser in sso active?
Sorry, I'm not a php coder...

regards
jan
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by Thorsten »

Hi,

thanks for the hint, I'll fixed that part of the code with 2.8.8!

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
JonM
Posts: 6
Joined: Fri Nov 01, 2013 1:12 pm

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by JonM »

Hi guys

I see you have added these changes into the latest version, I still can't get it working and think I might be missing something obvious

I can:
Get LDAP Working successfully - I'm able to log in with any AD user via ldap, it creates the user in the faquser table.
Turn on SSO, so the Authentication by NTLM is working.

Where I'm having issues is

If a new user who has never logged in via LDAP accesses the site, it allows access to the site, but doesn't correctly create the user an account. ( See attached Image1), it just gets into an odd situation.
image1.png
If I log in with an account that was previously created by signing in with LDAP, the the system picks up the username and email details etc.(See attached Image2)
image2.png
I've tried various different LDAP Settings within the constants_ldap.php

Changing ldap_use_domain_prefix as True, and as false, but the system still doesn't pickup the details from SSO, then LDAP.

I've tried using a Complete secured FAQ, but this makes no difference.

Maybe I'm expecting to much, but it would seem logical to me that if you wanted to use SSO within an corporate environment then using LDAP as well to populate the details would be sensible.

I've included a screenshot of phpinfo that I created within the FAQ directory, which shows the AD user details are being passed to PHP. ( i've edited some details out,) See attached Image3
image3.png
I hope someone can enlighten me to where i'm going wrong.

Thanks

Jon
You do not have the required permissions to view the files attached to this post.
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by Thorsten »

Hi,

can you send me an backup of your database to analyse your data?

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
linkazoid2
Posts: 10
Joined: Mon Jun 23, 2014 8:37 am

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by linkazoid2 »

Hi,

I have the same issue. My login details are passed to the phpinfo but when attempting to login it is blank.

I will PM you a link to my database export.

Thanks,

Michael
nawiiwan
Posts: 9
Joined: Sun Jul 13, 2014 8:36 am

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by nawiiwan »

Hi,
I have the same issue, I mean:
-LDAP (Active Directory) is working fine,
-SSO (on IIS) is working fine.

I instal phpMyFAQ is phpmyfaq-2.8.11.zip

What I found?
Theare are two situations:
-User exisits in PMF database then after login using SSO username is visible.
-User doesn't exists in PMF database then username is blank, user is not created in the PMF database.

When LDAP is enabled and SSO is disabled then we need to provide username and password. This pair is chacked in the LDAP (Active Directory) in function checkPassword (inc/PMF/Auth/Ldap.php). If username and password are valid - no error for (inc/PMF/Auth/Ldap.php, lines 201-207):

Code: Select all

        $this->ldap->connect(
            $this->_ldapConfig['ldap_server'],
            $this->_ldapConfig['ldap_port'],
            $this->_ldapConfig['ldap_base'],
            $bindLogin,
            $pass
        );
then program add/update this username in local PMF database.

Code: Select all

            $this->add($login, $pass);
If SSO is enabled then program reads username and sets password to empty string (index.php, lines 93-94):

Code: Select all

    $faqusername = trim($_SERVER['REMOTE_USER']);
    $faqpassword = '';
Empty password in checkPassword in inc/PMF/Auth/Ldap.php returns "false" then user data cannot be created ($this->add($login, $pass); is not run).


Workaround/solution
set faqpassword in index.php, line 94 to "complicated string", ex:

Code: Select all

    $faqpassword = 'sso_enabled_dfjgklhsdlfkghfguuiowreuserdsfajkchfreounrynrc4u3578cnq3cytr8q473tfcqg678mnfg6c473fh84c3hnrf69aq238r';
change function checkPassowrd, inc/PMF/Auth/Ldap.php

Code: Select all

	public function checkPassword($login, $pass, Array $optionalData = null)
	{
		if ('' === trim($pass)) {
			$this->errors[] = PMF_User::ERROR_USER_INCORRECT_PASSWORD;
			return false;
		}

		if ('sso_enabled_dfjgklhsdlfkghfguuiowreuserdsfajkchfreounrynrc4u3578cnq3cytr8q473tfcqg678mnfg6c473fh84c3hnrf69aq238r' === trim($pass)) { // SSO is enabled
			$this->ldap = new PMF_Ldap($this->_config);
			$this->ldap->connect(
				$this->_ldapConfig['ldap_server'],
				$this->_ldapConfig['ldap_port'],
				$this->_ldapConfig['ldap_base'],
				$this->_ldapConfig['ldap_user'],
				$this->_ldapConfig['ldap_password']
			);
		} else { // SSO is disabled
			$bindLogin = $login;
			if ($this->_ldapConfig['ldap_use_domain_prefix']) {
				if (array_key_exists('domain', $optionalData)) {
					$bindLogin = $optionalData['domain'] . '\\' . $login;
				}
			} else {
				$this->ldap = new PMF_Ldap($this->_config);
				$this->ldap->connect(
					$this->_ldapConfig['ldap_server'],
					$this->_ldapConfig['ldap_port'],
					$this->_ldapConfig['ldap_base'],
					$this->_ldapConfig['ldap_user'],
					$this->_ldapConfig['ldap_password']
				);
				if ($this->ldap->error) {
					$this->errors[] = $this->ldap->error;
				}
				
				$bindLogin = $this->ldap->getDn($login);
			}

			// Check user in LDAP
			$this->ldap = new PMF_Ldap($this->_config);
			$this->ldap->connect(
				$this->_ldapConfig['ldap_server'],
				$this->_ldapConfig['ldap_port'],
				$this->_ldapConfig['ldap_base'],
				$bindLogin,
				$pass
			);
		}
			
		if ($this->ldap->error) {
			$this->errors[] = $this->ldap->error;
			return false;
		} else {
			$this->add($login, $pass);
			return true;
		}
	}
Is it possible to apply such a behaviour in future versions of phpMyFAQ?

Regards,
Maciej
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by Thorsten »

Hi,

sure, I can add this to 2.8.12. Does this "patch" work for you?

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
nawiiwan
Posts: 9
Joined: Sun Jul 13, 2014 8:36 am

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by nawiiwan »

Hi,
I did it on test server last week, and today modified a little bit. It looks that it is working fine.

I plan to implement on the pro server in next days and test it deeper in next 2-4 weeks.

Regards,
Maciej
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by Thorsten »

Hi,

okay, would be fine, if you can give feedback, then I'll add it to 2.8.12

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
nawiiwan
Posts: 9
Joined: Sun Jul 13, 2014 8:36 am

Re: IIS 7.5 + LDAP + SSO Windows Authentication -Active Dire

Post by nawiiwan »

Hi,
thank you!

I will give you a feedback in next days/weeks


Please let me know, is it possible to read $faqConfig->get('security.ssoSupport') in inc/PMF/Auth/Ldap.php to check SSO enabled in this way:

Code: Select all

if ($faqConfig->get('security.ssoSupport') && isset($_SERVER['REMOTE_USER'])) {
instead of my workaround

Code: Select all

if ('sso_enabled_dfjgklhsdlfkghfguuiowreuserdsfajkchfreounrynrc4u3578cnq3cytr8q473tfcqg678mnfg6c473fh84c3hnrf69aq238r' === trim($pass)) { // SSO is enabled
I tried this but it looks that it didn't work.

Regards,
Maciej
Post Reply