Single Sign On with Active Directory

by John Fugazi last modified Mar 16, 2010 07:23 PM
This will show how to install Plone on a fresh install of Debian 5 that will authenticate with Active Directory for a single sign on (SSO) using either kerberos or mod_ntlm2 for authentication. This site will be an intranet with apache2 in front of the Plone site over SSL.

Purpose

Create an intranet for employees. This should be a SSO that way I will not hear employees complain about having to enter their passwords more than one time. The authentication is to a Windows 2003 Active Directory.

Scenerio

Windows 2003 Active Directory. DC has an ip address of 192.168.1.1 with a name of dc.domain.com. Plone/Apache server has an ip address of 192.168.1.5 with a name of web.domain.com. I will go over SSO using mod_ntlm2 and kerberos. I am personally using kerberos authentication. Choose the authentication which suites you, but not both.

Web Server

    Install Apache2 either with “apt-get” or “Synaptic Manager”.

  • Open a terminal, type:

sudo a2enmod proxy_http
sudo a2enmod rewrite
sudo a2enmod headers

  • Create a A and Pointer record on your DC (DNS server).

Creating Self-sign Certificate (SSL)

  • Open a terminal and type:

sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
sudo a2enmod ssl
sudo openssl genrsa -out site.key 1024
sudo openssl req -new -key site.key -out site.csr

  • When prompt, fill in the appropriate information. Remember when you are asked to fill in the “Common Name” use the site name. This one will be “web”.

sudo openssl x509 -req -days 60 -in site.csr -signkey site.key -out site.crt

Plone

  • Download and install Plone UnifiedInstaller. I installed using the basic install for standalone. Here is a how-to for installing Unified Installer – http://plone.org/documentation/tutorial/installing-plone-3-with-the-unified-installer/tutorial-all-pages. You can also look at the “Readme.txt” after you extract the file. This will list some more libraries/utilies you will need for Plone.

  • Here is a quick list of what libraries and utilies you need: libssl, libssl-dev, zlib, zlib1g-dev, libjpeg, libjpeg62-dev, readline, libreadline5-dev, readline-common, libxml2, libxml2-dev, wv, xpdf.

  • Use “sudo apt-get install build-essential” at a terminal. This will install gcc, g++, etc.

  • Open Natilus as root and navigate to “/usr/local/Plone/zinstance”. Edit “buildout.cfg” and add these line under “eggs” and "zcml":
     

eggs = 
    ...
    Products.PloneLDAP
    Products.WebServerAuth

zcml =
    ...
    Products.PloneLDAP

  • To get LDAP working install the following: libldap2-dev, libdb-dev, libsasl2-dev

  • Open a terminal and type:

cd /usr/local/Plone/zinstance
sudo ./bin/buildout -n
sudo ./bin/plonectl fg

  • To install WebServerAuth, go to your Plone site (http://localhost:8080/Plone). Install WebServerAuth in the “Site Setup”.

  • Go to your ZMI and navigate to "/Plone/acl_users/web_server_auth".  Uncheck "Email-like domains" and add a checkmark to "Windows domains"

  • In your ZMI, navigate to "/Plone/acl_users"  Select “Plone Active Directory Plugin” on the dropdown list and click “Add”.

  • Set your setting according to the image below:

AD

  • You do not have to use “administrator” for the account. You can use any account that can read your AD.

  • You will be sent back to the “acl_users” again. Select the AD plugin by the name you gave it ("AD_SSO"). On the functionality page, put a check mark by each (you can uncheck the ones you don't need later). And then click the “Update” button.

The rest of the LDAP config and mapping is from http://www.cynapse.com/community/home/cyn.in-users/microsoft-active-directory-services-integration.

Attributes are case-sensitive.

  • Across the top of the page, you should see several tabs. Click the “Properties” tab. Change “groupid_attr” from “objectGUID” to “sAMAccountName” and then save changes.

  • Across the top. Click the “Contents” tab. There should be only one object there, click the “acl_users”. Change “User Object Class” from “pilotPerson,uidObject” to “organizationalPerson”. Then click “Apply Changes”

  • Across the top, click the “Users” tab and do a quick search. You should see your users.

Schema Mapping

  • In ZMI, go to "/Plone/acl_users/AD_SSO/acl_users".  Click on "LDAP Schema" tab across the top.  At the bottom of the page, there is a section called "Add LDAP schema item".  Add these two mappings according to the image:
email

 

 Full Name

  • After adding the two mappings, go to "/Plone/acl_users" in your ZMI.  On this page, click "plugins".  Then click the "Properties Plugins".  Move the "AD_SSO" to the top of the "Active Plugins".
  • Go to your Plone site, click "Site Setup" (upper right-hand corner) and then click "Users and Groups".
  • Click the "Show all" button.  You should see a list of all your AD users with their full name and email address.
  • You can map additional schemas by using a LDAP browser and matching values with the "portal_memberdata" located in your ZMI at "/Plone/portal_memberdata" under the "Properties" tab.
  • Don't forget to clear the cache after adding new mapping.  Located in ZMI "/Plone/acl_users/AD_SSO/acl_users" under "Caches" tab.

Kerberos Authentication

Syncronize the time between web server and DC

  • Install openntpd

sudo apt-get install openntpd

  • Configure openntpd (using gedit here, you can use any text editor)

sudo gedit /etc/openntpd/ntpd.conf

  • comment out everything and insert the following:

 server dc.domain.com

  • Restart service

sudo /etc/init.d/openntpd restart

  • Check log to make sure everything is ok. Location is at “/var/log/syslog”.

Likewise-open

  • Open a internet browser and navigate to http://www.likewise.com/

  • Register and download likewise-open

  • After you have download the installer file for Debian, right-click it and then click the “Permission” tab. Put a checkmark for “Allow executing file as program”. Then close.

  • Open a terminal and execute the installer as sudo.

  • When installation is finished, in the terminal type:

sudo /opt/likewise/bin/domainjoin-cli join domain.com Administrator

  • “SUCCESS” is the right answer. Restart the computer.  You should be able to log off and log on using a username/password from your Active Directory.  Username should be in the form of "domain\username".

Apache2 with Likewise-open (kerberos)

  • With both Apache2 and Likewise-open installed, we will get a quick single-sign on going.

  • Use Nautilus as root. To do this goto “Applications” ? “System Tools”, right-click “File Browser” and select “Add this launcher to panel”. Now right-click the icon of “File Browser” on your panel and select “Properties”. In the textbox for “command” enter this:

gksu “nautilus --no-desktop –browser”

  • When you open Nautilus as root, navigate to “/etc/apache2”. Edit “http.conf” by double-clicking. This file should be blank, insert the following and save:

LoadModule auth_kerb_module /opt/likewise/apache/2.2/mod_auth_kerb.so

  • With Nautilus again navigate to “/etc/apache2/sites-available”. Edit “default” (make a backup if you like) and clear all entries and input this:

<VirtualHost *:80>

DocumentRoot /var/www
LogLevel debug

<Directory /var/www>
	AuthType Kerberos
	AuthName “Kerberos_Login”
	KrbMethodNegotiate On
	KrbMethodK5Passwd On
	KrbVerifyKDC Off
	KrbAuthRealms DOMAIN.COM
	Krb5Keytab /etc/apache2/krb5.keytab

	Require valid-user
</Directory>

</VirtualHost>

  • Go to your DC and create a new user with “http” as the username. Enter a password for this user, we will use “krbpassword”. Make sure that the password is set to never expires.

  • At a command prompt on the DC, type the following:

ktpass -out c:\keytabfile /princ HTTP/web.domain.com@DOMAIN.COM /pass krbpassword -mapOp set /ptype KRB5_NT_PRINCIPAL /mapUser http

  • Transfer the newly created file, “keytabfile”, to the web.domain.com server (Plone). I transferred this file to the desktop (“/home/username/Desktop”).

  • Open a terminal and type the following:

sudo /opt/likewise/bin/ktutil
rkt /home/username/Desktop/keytabfile
rkt /etc/krb5.keytab
wkt /etc/apache2/krb5.keytab
quit

  • Change the permissions so only apache2 service (www-data) can read the krb5.keytab

sudo chown www-data:www-data /etc/apache2/krb5.keytab
sudo chmod 400 /etc/apache2/krb5.keytab
  • Debain uses an older libcom_err.  You will get an error message if you restart apache2.  To fix this, you have to edit apache2 startup script.  Open a terminal and type:
sudo gedit /etc/init.d/apache2
  • Insert the following on line 14, "LD_LIBRARY_PATH=/opt/likewise/lib".  The whole line should look like this:
ENV="env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin LD_LIBRARY_PATH=/opt/likewise/lib"

  • Restart apache2

sudo /etc/init.d/apache2 restart

Apache2 and Plone with Kerberos Authentication

  • Using Nautilus as root, navigate to “/etc/apache2/sites-available” and edit “default” by clearing it out and adding this:

NameVirtualHost 192.168.1.5:443

<VirtualHost 192.168.1.5:443>

<Location />
	AuthType Kerberos
	AuthName "Kerberos_Login"
	KrbMethodNegotiate On
	KrbMethodK5Passwd On
	KrbVerifyKDC Off
	KrbAuthRealms DOMAIN.COM
	Krb5Keytab /etc/apache2/krb5.keytab
	Require valid-user

	RequestHeader set X_REMOTE_USER %{remoteUser}e
</Location>

<IfModule mod_proxy.c>
	<Proxy http://localhost:8080>
		Order deny,allow
		Deny from all
		Allow from all
	</Proxy>
</IfModule>

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/site.crt
SSLCertificateKeyFile /etc/apache2/ssl/site.key

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteLog /var/log/apache2/rewrite.log
	RewriteLogLevel 3

	RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/https/%{SERVER_NAME}:443/Plone/VirtualHostRoot/$1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}]
</IfModule>

</VirtualHost>

  • Restart apache2 at a terminal

sudo /etc/init.d/apache2 restart

  • Open nautilus as root and navigate to “/etc” and edit “krb5.conf”. Comment out “reverse_mappings …..”

SSO should be working with Kerberos. On a workstation in your AD, open an internet browser and in the URL type “https://web.domain.com”.

mod_ntlm2 Authentication

Once again I use the kerberos to authenticate.  Also, I believe no one is updating this module.  If you plan to use this authentication, don't worry about any of the kerberos stuff.
  • Install mod_ntlm2

  1. Go to this website: http://mywheel.net/blog/index.php/mod_ntlm2-on-apache-22x/ and install per his instructions. But before doing the third part (compiling), edit “mod_ntlm.c”. Find every instance of “r->proxyreq” and replace with “r->proxyreq && 0”. When this is done, proceed with the rest of the installation. (I found this information at http://www.gossamer-threads.com/lists/zope/users/197385 )

  • Edit “default” file in “/etc/apache2/sites-available/”. Insert the following:

NameVirtualHost 192.168.1.5:443 
<VirtualHost 192.168.1.5:443>
 
ServerSignature On 

   <Location />
           NTLMAuth on
           NTLMAuthoritative on
           NTLMDomain domain
           NTLMServer AD-Server
           NTLMBackup AD-Backup
           NTLMLockfile /tmp/_mod_ntlm.lck
           Require valid-user
           AuthType NTLM
           Satisfy all
   </Location>

   <IfModule mod_proxy.c> 
      <Proxy http://localhost:8080> 
         Order deny, allow 
         Deny from all 
         Allow from all 
      </Proxy> 
   </IfModule> 

   SSLEngine On 
   SSLCertificateFile /etc/apache2/ssl/site.crt 
   SSLCertificateKeyFile /etc/apache2/ssl/site.key

   <IfModule mod_rewrite.c> 
      RewriteEngine On 
      RewriteLog /var/log/apache2/rewritelog 
      RewriteLogLevel 3 
           RewriteCond %{LA-U:REMOTE_USER} (.+)
           RewriteRule .* - [E=RU:%1]
           
           RequestHeader set X_REMOTE_USER %{RU}e
      RewriteRule ^/(.*) \ 
         http://localhost:8080/VirtualHostBase/https/%{SERVER_NAME}:443/Plone/VirtualHostRoot/$1 [L,P] 
   </IfModule> 

</VirtualHost>

  • Restart apache2 at a terminal

sudo /etc/init.d/apache2 restart

SSO authentication with mod_ntlm2 should be working. On a workstation in your AD, open an internet browser and in the URL type “https://web.domain.com”. If you prefer to use “firefox”, follow these instructions to configure http://sivel.net/2007/05/firefox-ntlm-sso/.

 

Comments (20)

Jonathan Riboux Oct 21, 2008 08:18 AM
I had troubles to make it work, but that was my mistake.
I used the host IP instead of localhost in the proxy section and RewriteRule.
NTLM authentication on Apache2.2 worked well, but the REMOTE_USER var was empty (and X_REMOTE_USER was "(null)").
Changed to localhost, REMOTE_USER equals to the user name and the user gets successfully logged in Plone.

Many thanks for your how-to.
Josh Williams Feb 24, 2009 01:00 AM
I am having trouble with the username getting passed along. What exactly did you change?
You stated "Changed to localhost, REMOTE_USER equals to the user name and the user gets successfully logged in Plone."
Where is that change made?

Everytime I go to the Plone site page it asks me for a username and password. I enter my credentials and it returns an Internal Server Error. I have double checked evrything.

Thanks for your help
Jonathan Riboux Oct 21, 2008 08:22 AM
On Apache2.2, I had to replace the RewriteHeader directive by RequestHeader.
I don't know if it is a mistake in your how-to or a change in latest mod_headers.
John Fugazi Nov 19, 2008 07:03 PM
Your right. I made a typo. thanks.
NicolaBi Feb 04, 2009 02:33 AM
With this tutorial it's impossible don't get it! Congratulations for the great work and the explanations!
Piotr L Feb 11, 2009 02:49 PM
Hi, I'm using python 2.5.2 on debian/lenny and having compile times errors and finally after:
sudo /opt/Plone3/project/bin/instance start
Traceback (most recent call last):
.....
NameError: name 'OverflowWarning' is not defined

And that is the end of story. Wrong python or what?
Regards
P.
John Fugazi Feb 11, 2009 04:13 PM
zope/plone uses python 2.4. download debian4.0 or use the unifiedinstaller which has the correct python. there is a how-to somewhere that explains how to install with different version of python.
Piotr L Feb 16, 2009 11:56 AM
1)
On debian/testing it was possible to make buildout with python 2.4x, just a soft link from default 2.5 python to 2.4. Second, I have used standard debian packages (plone, zope and python) not the buildout and it worked very well after a few checkups about AD schema. Why have you chosen to use buildouts against debs?

2)
Lets say we are at the step in this tutorial, where we can see AD users, so just before 'Installing Apache2'. From this point the password from plone to AD controller goes in clear text? I doubt a bit, but there is no ssl working yet. Hm I assume from my web browser to plone server in clear text, from plone server to AD controller crypted.

3)
The big picture. Why use apache in front of plone?

Regards
Piotr
John Fugazi Feb 16, 2009 02:03 PM
1. it is fine to use the debs, but plone and packages are easier to install with buildout. at least for me, the buildout configuration is easier. i should updated this, because i use in my buildout config - PloneLDAP. i don't download and move LDAPUserFolder nor LDAPMultiPlugins anymore. PloneLDAP has both packages already.
2. there is a way to connect plone to AD with SSL. i remember seeing this discussion in the forum (http://plone.org/support/forums#nabble-f293351).
3. apache can authenticate with AD and send username/password to plone with WebServerAuth for a SSO. plus apache is the best for a web server.
Yusuf Tran Mar 10, 2009 07:06 PM
Advance apologies for my ignorance but would it be possible you can create a guide for windows servers?

For the past week I've been all round the net and the irc channel and am still at a lost to get this working on a windows server :(, I'm confused with the variant add-ons mentioned in the various articles and get confused by the advice to Not use ones other the other.

An updated guide for V3 on Windows would highly be appreciated, I'd like to roll this out to our various schools in the UK but need to get my head around configuring it with SSO in our office first.

If anyone here whose had success with SSO on Server 2003 with Plone 3 would like point me in the right direction that would also be appreciated.

Many thanks in advance

Yusuf
Daniel Ezell Aug 27, 2009 10:38 PM
In the section Likewise-Open, the fourth line:

Open a terminal and execute the installer as sudo.

Has me stumped. Can you give me the actual command line in Debian, please?

Thanks for a great procedure writeup!
Michael Schreiber Dec 03, 2009 07:35 PM
The image following "Set your setting according to the image below:" (https://resources/resources/help-center/how-to/single-sign-on-with-active-directory/AD_SSO.gif/image_preview) is broken.
John Fugazi Dec 03, 2009 08:57 PM
it will show up in Internet Explorer. firefox and chrome not showing up.
mrprelude23i Mar 25, 2010 09:09 AM
Hi.

I've followed your how-to to setup an intranet for my company, but I have some trouble with it. First of all IE8 reports that there is an error with the certificate. Logs report that the certificate is for an another site then intended for. In the SSL configuration I've used both "plone" and "plone.mydomain.com" in the Common name field. My server-name is plone.mydomain.com. If I confirm for IE that the certificate is OK, I will get to a login-form. Login with "mydomain\user" will get me in, but this isn't Single-sign-on... I've used the Kerberos authentication. Our DC is a Win 2003 server.

There is probably something that I am doing wrong.. But I am all lost at the moment.. At one step I had to rename the server (naming crashed with an another machine.), maybe this broke something? Should I start all over again..?
John Fugazi Mar 25, 2010 03:01 PM
Issue 1 - Certificate
- i am assuming you are talking about the initial page with the red shield with an "x". this is normal for a self-signed certificate because it was not signed by a trusted third-party like VeriSign.
- you can install the self-signed certificate by click the "certificate error" next to the address bar and then click "View certificates". you should see "install certificate"
- if you are using "group policy", you can have it installed to all machines.

Issue 2 - sso
- http://www.likewise.com/[…]/Likewise-Apache-SSO-Guide.pdf - page 10
- local intranet site "http://plone" not "http://plone.mydomain.com"
- this setting can also be set in "group policy"
mrprelude23i Mar 29, 2010 07:34 AM
Thank you for your reply, but I've done all that.. Still not working.. I will try to reinstall everything today.

In your configuration of ktpass, likewise and apache you use "Domain.com", I presume I should use my domainname there..? And the Common Name in SSL configuration in my case would be "plone"?

And one other thing, I am installing this on a debian without GUI and with the root. But this should'nt make any difference...?
mrprelude23i Mar 29, 2010 12:44 PM
Made a new fresh install today. Now I get a "Internal Server Error" after the "Apache2 with Likewise-open (kerberos)" configuration. Error logs show; "kerb_authenticate_user entered with user (NULL) and auth_type Kerberos" and "gss_display_name() failed: A required input parameter could not be read".

Restarting apache also throws some error-messages; libldap and libcrypto loading gives error "no version information available. Required by /usr/lib/libpq.so.5.
I have entered that LB_LIBRARY line in the apache startup script.

Could it be something with my domain naming?
John Fugazi Mar 30, 2010 01:05 PM
"NULL" - something is not passing correctly. email me more info. some of the message can be ignored...
mrprelude23i Apr 06, 2010 12:51 PM
I've finally made the single-sign-on working.. As I suspected the domain naming was my problem. The workstation used to test this was on a different subdomain..
STNS Feb 04, 2011 02:07 PM
Thanks for this HowTo, we got it working in our AD domain however mind that this causes Zope External Edit to fail since it does not support NTLM authentication, you end up in a catch 22 situation:
If changing authentication to LDAP to keep basic auth (supported by ZEE) then Internet Explorer won't automatically send username and password. As per Microsoft's site:
Automatic logon with current username and password. The logon credential may be tried silently by Windows NT Challenge response (NTLM), an authentication protocol between an end-user client and application server, before prompting.