Greetings all, To all the good souls that happen to know NTLM and Rails.... Short version: -------------- - I''m looking for server code to extract credentials through NTLM dialog with the client (IE) - I found nothing usable/useful (as they both implement the client side code) in - rubyntlm on rubyforge - lib ntlm-ruby by Jonathan Bastien-Filiatrau LONG version: -------------- Version 1 of an application I''ve just finished requires the client enters a login and password. As this is a closed application in a pure Windows environment and everybody uses IE, I was asked to use SSO to avoid this step, as the users are already logged in at this stage. The way I understand it, I need my Rails app to implement the server side of the NTLM handshake to have IE send it the user''s login and password. Unfortunately, all the ruby code and samples I''ve found -see above ref.- implement the client side of the handshake (meaning: the ruby application is the client trying to reach a NTLM savvy server). Has anybody already solved this problem in Rails? Many thanks in advance. Alain -- Posted via http://www.ruby-forum.com/.
On May 17, 2006, at 09:46, Alain Ravet wrote:> Has anybody already solved this problem in Rails?Not sure about Rails, but take a look at CIFS for a Java implementation. Perhaps there is a Ruby implementation as well, or you could simply port it yourself :)) "Note: This functionality is a non-conformant extension to HTTP conceived entirely by Microsoft. It inappropriately uses HTTP headers and therefore may not work with all Servlet containers or may stop working with a new release of your application server. Also, this flavor of password encryption is not very secure so under no circumstances should it be used to authenticate clients on the Internet." http://jcifs.samba.org/ "JCIFS NTLM HTTP Authentication" http://jcifs.samba.org/src/docs/ntlmhttpauth.html "The NTLM Authentication Protocol" http://davenport.sourceforge.net/ntlm.html "NTLM Authentication Scheme for HTTP" http://www.innovation.ch/personal/ronald/ntlm.html Cheers -- PA, Onnay Equitursay http://alt.textdrive.com/
Hello, I have been successful with this by using IIS as a proxy with a tool called isapirewrite <http://www.isapirewrite.com/>. I used the excellent instructions <http://www.napcs.com/howto/rails/deploy/> written by Brian Hogan. To get IIS to pass on the credentials in a header I had to add an option to rewrite rule. I don''t have access to the configuration right now but it''s documented in the isapirewrite documentation. Regards, Jens Norrgrann Conside Solutions AB On 5/17/06, Alain Ravet <alainravet-spam2004@yahoo.com> wrote:> > > Greetings all, > > > To all the good souls that happen to know NTLM and Rails.... > > > Short version: > -------------- > - I''m looking for server code to extract credentials through NTLM dialog > with the client (IE) > - I found nothing usable/useful (as they both implement the client side > code) in > - rubyntlm on rubyforge > - lib ntlm-ruby by Jonathan Bastien-Filiatrau > > > LONG version: > -------------- > Version 1 of an application I''ve just finished requires the client > enters a login and password. As this is a closed application in a pure > Windows environment and everybody uses IE, I was asked to use SSO to > avoid this step, as the users are already logged in at this stage. > > The way I understand it, I need my Rails app to implement the server > side of the NTLM handshake to have IE send it the user''s login and > password. > Unfortunately, all the ruby code and samples I''ve found -see above ref.- > implement the client side of the handshake (meaning: the ruby > application is the client trying to reach a NTLM savvy server). > > Has anybody already solved this problem in Rails? > > Many thanks in advance. > > > Alain > > > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060517/32457862/attachment-0001.html
Jens, > I have been successful with this by using IIS as a proxy with a tool called > isapirewrite. I used the excellent instructions written by Brian Hogan. > To get IIS to pass on the credentials in a header .. I should have mentioned that my app runs in a separate Linux server - no IIS- with Mongrel. It''s only the clients'' desktops that are running on Windows with IE. To complete the picture, once I have obtained the login and password, I use them to check with LDAP if the user has enough rights to use my Rails app. Alain
Never did this before, just a wild stab of a suggestion, but have you tried doing it from the Win32 module? It might save you a lot of effort if you use Windows'' native calls to access NTLM instead. Alain Ravet wrote:> Greetings all, > > > To all the good souls that happen to know NTLM and Rails.... > > > Short version: > -------------- > - I''m looking for server code to extract credentials through NTLM dialog > with the client (IE) > - I found nothing usable/useful (as they both implement the client side > code) in > - rubyntlm on rubyforge > - lib ntlm-ruby by Jonathan Bastien-Filiatrau > > > LONG version: > -------------- > Version 1 of an application I''ve just finished requires the client > enters a login and password. As this is a closed application in a pure > Windows environment and everybody uses IE, I was asked to use SSO to > avoid this step, as the users are already logged in at this stage. > > The way I understand it, I need my Rails app to implement the server > side of the NTLM handshake to have IE send it the user''s login and > password. > Unfortunately, all the ruby code and samples I''ve found -see above ref.- > implement the client side of the handshake (meaning: the ruby > application is the client trying to reach a NTLM savvy server). > > Has anybody already solved this problem in Rails? > > Many thanks in advance. > > > Alain > > > >-- Sau Sheong http://blog.saush.com http://www.projectible.com http://jaccal.sourceforge.net
>I should have mentioned that my app runs in a separate Linux server - >no IIS- with Mongrel. It''s only the clients'' desktops that are running >on Windows with IE. > > >To complete the picture, once I have obtained the login and password, >I use them to check with LDAP if the user has enough rights to use my >Rails app.Well I don''t know if it is possible, but couldn''t you proxy from IIS on windows to the Linux server? Jens -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060517/b92ec5ab/attachment.html
Chang, > have you tried doing it from the Win32 module? It might save you a lot of effort > if you use Windows'' native calls to access NTLM instead. Win32 module? I don''t understand your suggestion: this is a pure Rails app running in a linux server, that must seamessly obtain credentials info from a remote IE browser. Alain
Yes, my bad, I didn''t read the other posts, didn''t realise that u are running it on Linux. Alain Ravet wrote:> Chang, > > > have you tried doing it from the Win32 module? It might save you > a lot of effort > > if you use Windows'' native calls to access NTLM instead. > > > Win32 module? > I don''t understand your suggestion: this is a pure Rails app running > in a linux server, that must seamessly obtain credentials info from a > remote IE browser. > > Alain-- Sau Sheong http://blog.saush.com http://www.projectible.com http://jaccal.sourceforge.net
There''s at least one NTLM Apache module for Unix, maybe more. Google the terms apache ntlm. Alain Ravet wrote:> Jens, > > > I have been successful with this by using IIS as a proxy with a > tool called > > isapirewrite. I used the excellent instructions written by Brian > Hogan. > > To get IIS to pass on the credentials in a header > .. > > I should have mentioned that my app runs in a separate Linux server - > no IIS- with Mongrel. It''s only the clients'' desktops that are running > on Windows with IE. > > > To complete the picture, once I have obtained the login and password, > I use them to check with LDAP if the user has enough rights to use my > Rails app. > > Alain-- Posted via http://www.ruby-forum.com/.
Just a thought: rather than knocking yourself out trying to get this working on Apache/Linux, wouldn''t it just be easier to move across to IIS and use the Win32 library to get access? Normally, I wouldn''t recommend using Windows as a Rails server, but your case would be an exception. Regards Dave M. On 18/05/06, Steve Koppelman <hatlessnyc@yahoo.com> wrote:> There''s at least one NTLM Apache module for Unix, maybe more. Google the > terms apache ntlm. > > Alain Ravet wrote: > > Jens, > > > > > I have been successful with this by using IIS as a proxy with a > > tool called > > > isapirewrite. I used the excellent instructions written by Brian > > Hogan. > > > To get IIS to pass on the credentials in a header > > .. > > > > I should have mentioned that my app runs in a separate Linux server - > > no IIS- with Mongrel. It''s only the clients'' desktops that are running > > on Windows with IE. > > > > > > To complete the picture, once I have obtained the login and password, > > I use them to check with LDAP if the user has enough rights to use my > > Rails app. > > > > Alain > > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
It is up to your web server to accept NTLM credentials from IE and then pass them on to Rails as an environment variable. For Apache on Windows you can use mod-auth-sspi Latest version: mod_auth_sspi-1.0.4-rc1-2.0.55 This will work flawlessly with IE. Here is a sample from my httpd.conf that uses a group to authenticate: Alias /snag "C:/rails/snag/public/" <Directory "C:/rails/snag/public"> AddHandler fastcgi-script .fcgi Options +ExecCGI AllowOverride all Allow from all Order allow,deny AuthName "Authenticate to AD" AuthType SSPI SSPIAuth On SSPIAuthoritative On Require Group MFC\TN_W_SNAG </Directory> You can then pull which user has authenticated using an environment variable - I can''t remember which. I don''t see any way you are going to pull this off with Mongrel. You can either use IIS on Windows or Apache on Windows unless someone writes some NTLM code for Mongrel. Charles Alain Ravet wrote:> Jens, > > > I have been successful with this by using IIS as a proxy with a > tool called > > isapirewrite. I used the excellent instructions written by Brian > Hogan. > > To get IIS to pass on the credentials in a header > .. > > I should have mentioned that my app runs in a separate Linux server - > no IIS- with Mongrel. It''s only the clients'' desktops that are running > on Windows with IE. > > > To complete the picture, once I have obtained the login and password, > I use them to check with LDAP if the user has enough rights to use my > Rails app. > > Alain > ------------------------------------------------------------------------ > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
Proxy across from IIS to Mongrel. It''s super simple. My guides will help although they''re a little out of date now that Mongrel has changed a few things. But the IIS part will work fine for you. You''ll need to spend $70 on the redirecting filter for IIS. If that''s not an option, the above Apache configuration should work well. On 6/30/06, Charles Leeds <charlesleeds@rowdyrhino.com> wrote:> > It is up to your web server to accept NTLM credentials from IE and then > pass them on to Rails as an environment variable. > > For Apache on Windows you can use mod-auth-sspi > > Latest version: mod_auth_sspi-1.0.4-rc1-2.0.55 > > This will work flawlessly with IE. Here is a sample from my httpd.conf > that uses a group to authenticate: > > Alias /snag "C:/rails/snag/public/" > <Directory "C:/rails/snag/public"> > AddHandler fastcgi-script .fcgi > Options +ExecCGI > AllowOverride all > Allow from all > Order allow,deny > > AuthName "Authenticate to AD" > AuthType SSPI > SSPIAuth On > SSPIAuthoritative On > Require Group MFC\TN_W_SNAG > </Directory> > > You can then pull which user has authenticated using an environment > variable - I can''t remember which. > > I don''t see any way you are going to pull this off with Mongrel. You > can either use IIS on Windows or Apache on Windows unless someone writes > some NTLM code for Mongrel. > > Charles > > > Alain Ravet wrote: > > Jens, > > > > > I have been successful with this by using IIS as a proxy with a > > tool called > > > isapirewrite. I used the excellent instructions written by Brian > > Hogan. > > > To get IIS to pass on the credentials in a header > > .. > > > > I should have mentioned that my app runs in a separate Linux server - > > no IIS- with Mongrel. It''s only the clients'' desktops that are running > > on Windows with IE. > > > > > > To complete the picture, once I have obtained the login and password, > > I use them to check with LDAP if the user has enough rights to use my > > Rails app. > > > > Alain > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Rails mailing list > > Rails@lists.rubyonrails.org > > http://lists.rubyonrails.org/mailman/listinfo/rails > > > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060630/d46ec65e/attachment.html
How did you get a hold of the LOGON_USER server variable in rails? I have got my rails app running through IIS on a mongrel cluster and using lighttpd to load balance as described in the instructions written by Bryan Hogan. I added the ''A'' flag to the RewriteProxy directive of isapirewrite which in the documentation is supposed to send a variable called ISRW-Proxy-LOGON-USER, but I am not getting it. Any help is appreciated!
On Tue, 2006-07-11 at 14:27 -0500, nicksmooth wrote:> ISRW-Proxy-LOGON-USERThat would come out as HTTP_ISRW_PROXY_LOGON_USER if that''s right. Run your Mongrel app real quick with the -B option, then go checkout the log/mongrel_debug/rails.log to see what your server is handing rails and what rails thinks of it. -- Zed A. Shaw http://www.zedshaw.com/ http://mongrel.rubyforge.org/ http://www.railsmachine.com/ -- Need Mongrel support?