Rails - May 2006 - Using NTLM for S.S.O. in Rails

Greetings all,


To all the good souls that happen to know NTLM and Rails....


Short version:
--------------
- I''m looking for server code to extract credentials through NTLM
dialog
with the client (IE)
- I found nothing usable/useful (as they both implement the client side 
code) in
    - rubyntlm on rubyforge
    - lib ntlm-ruby by Jonathan Bastien-Filiatrau


LONG version:
--------------
Version 1 of an application I''ve just finished requires the client 
enters a login and password. As this is a closed application in a pure 
Windows environment and everybody uses IE, I was asked to use SSO to 
avoid this step, as the users are already logged in at this stage.

The way I understand it, I need my Rails app to implement the server 
side of the NTLM handshake to have IE send it the user''s login and 
password.
Unfortunately, all the ruby code and samples I''ve found -see above
ref.-
implement the client side of the handshake (meaning: the ruby 
application is the client trying to reach a NTLM savvy server).

Has anybody already solved this problem in Rails?

Many thanks in advance.


Alain



-- 
Posted via http://www.ruby-forum.com/.

On May 17, 2006, at 09:46, Alain Ravet wrote:
> Has anybody already solved this problem in Rails?
Not sure about Rails, but take a look at CIFS for a Java 
implementation. Perhaps there is a Ruby implementation as well, or you 
could simply port it yourself :))

"Note: This functionality is a non-conformant extension to HTTP 
conceived entirely by Microsoft. It inappropriately uses HTTP headers 
and therefore may not work with all Servlet containers or may stop 
working with a new release of your application server. Also, this 
flavor of password encryption is not very secure so under no 
circumstances should it be used to authenticate clients on the 
Internet."

http://jcifs.samba.org/

"JCIFS NTLM HTTP Authentication"
http://jcifs.samba.org/src/docs/ntlmhttpauth.html

"The NTLM Authentication Protocol"
http://davenport.sourceforge.net/ntlm.html

"NTLM Authentication Scheme for HTTP"
http://www.innovation.ch/personal/ronald/ntlm.html

Cheers

--
PA, Onnay Equitursay
http://alt.textdrive.com/

Hello,

I have been successful with this by using IIS as a proxy with a tool called
isapirewrite <http://www.isapirewrite.com/>. I used the excellent
instructions <http://www.napcs.com/howto/rails/deploy/> written by Brian
Hogan.
To get IIS to pass on the credentials in a header I had to add an option to
rewrite rule. I don''t have access to the configuration right now but
it''s
documented in the isapirewrite documentation.

Regards,

Jens Norrgrann
Conside Solutions AB



On 5/17/06, Alain Ravet <alainravet-spam2004@yahoo.com>
wrote:
>
>
> Greetings all,
>
>
> To all the good souls that happen to know NTLM and Rails....
>
>
> Short version:
> --------------
> - I''m looking for server code to extract credentials through NTLM
dialog
> with the client (IE)
> - I found nothing usable/useful (as they both implement the client side
> code) in
>    - rubyntlm on rubyforge
>    - lib ntlm-ruby by Jonathan Bastien-Filiatrau
>
>
> LONG version:
> --------------
> Version 1 of an application I''ve just finished requires the client
> enters a login and password. As this is a closed application in a pure
> Windows environment and everybody uses IE, I was asked to use SSO to
> avoid this step, as the users are already logged in at this stage.
>
> The way I understand it, I need my Rails app to implement the server
> side of the NTLM handshake to have IE send it the user''s login and
> password.
> Unfortunately, all the ruby code and samples I''ve found -see above
ref.-
> implement the client side of the handshake (meaning: the ruby
> application is the client trying to reach a NTLM savvy server).
>
> Has anybody already solved this problem in Rails?
>
> Many thanks in advance.
>
>
> Alain
>
>
>
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060517/32457862/attachment-0001.html

Jens,

   > I have been successful with this by using IIS as a proxy with a tool
called
   > isapirewrite. I used the excellent instructions written by Brian Hogan.
   > To get IIS to pass on the credentials in a header
..

I should have mentioned that my app runs in a separate Linux server -
no IIS- with Mongrel. It''s only the clients'' desktops that are
running
on Windows with IE.


To complete the picture, once I have obtained the login and password,
I use them to check with LDAP if the user has enough rights to use my
Rails app.

Alain

Never did this before, just a wild stab of a suggestion, but have you
tried doing it from the Win32 module? It might save you a lot of effort
if you use Windows'' native calls to access NTLM instead.

Alain Ravet wrote:
> Greetings all,
>
>
> To all the good souls that happen to know NTLM and Rails....
>
>
> Short version:
> --------------
> - I''m looking for server code to extract credentials through NTLM
dialog
> with the client (IE)
> - I found nothing usable/useful (as they both implement the client side 
> code) in
>     - rubyntlm on rubyforge
>     - lib ntlm-ruby by Jonathan Bastien-Filiatrau
>
>
> LONG version:
> --------------
> Version 1 of an application I''ve just finished requires the client
> enters a login and password. As this is a closed application in a pure 
> Windows environment and everybody uses IE, I was asked to use SSO to 
> avoid this step, as the users are already logged in at this stage.
>
> The way I understand it, I need my Rails app to implement the server 
> side of the NTLM handshake to have IE send it the user''s login and
> password.
> Unfortunately, all the ruby code and samples I''ve found -see above
ref.-
> implement the client side of the handshake (meaning: the ruby 
> application is the client trying to reach a NTLM savvy server).
>
> Has anybody already solved this problem in Rails?
>
> Many thanks in advance.
>
>
> Alain
>
>
>
>   

-- 
Sau Sheong

http://blog.saush.com
http://www.projectible.com
http://jaccal.sourceforge.net

>I should have mentioned that my app runs in a separate Linux server -
>no IIS- with Mongrel. It''s only the clients'' desktops that
are running
>on Windows with IE.
>
>
>To complete the picture, once I have obtained the login and password,
>I use them to check with LDAP if the user has enough rights to use my
>Rails app.
Well I don''t know if it is possible, but couldn''t you proxy
from IIS on
windows to the Linux server?

Jens
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060517/b92ec5ab/attachment.html

Chang,

   > have you tried doing it from the Win32 module? It might save you
a lot of effort
   > if you use Windows'' native calls to access NTLM instead.


Win32 module?
I don''t understand your suggestion: this is a pure Rails app running
in a linux server, that must seamessly obtain credentials info from a
remote IE browser.

Alain

Yes, my bad, I didn''t read the other posts, didn''t realise
that u are
running it on Linux.

Alain Ravet wrote:
> Chang,
>
>   > have you tried doing it from the Win32 module? It might save you
> a lot of effort
>   > if you use Windows'' native calls to access NTLM instead.
>
>
> Win32 module?
> I don''t understand your suggestion: this is a pure Rails app
running
> in a linux server, that must seamessly obtain credentials info from a
> remote IE browser.
>
> Alain

-- 
Sau Sheong

http://blog.saush.com
http://www.projectible.com
http://jaccal.sourceforge.net

There''s at least one NTLM Apache module for Unix, maybe more. Google
the
terms apache ntlm.

Alain Ravet wrote:
> Jens,
> 
>    > I have been successful with this by using IIS as a proxy with a 
> tool called
>    > isapirewrite. I used the excellent instructions written by Brian 
> Hogan.
>    > To get IIS to pass on the credentials in a header
> ..
> 
> I should have mentioned that my app runs in a separate Linux server -
> no IIS- with Mongrel. It''s only the clients'' desktops
that are running
> on Windows with IE.
> 
> 
> To complete the picture, once I have obtained the login and password,
> I use them to check with LDAP if the user has enough rights to use my
> Rails app.
> 
> Alain

-- 
Posted via http://www.ruby-forum.com/.

Just a thought: rather than knocking yourself out trying to get this
working on Apache/Linux, wouldn''t it just be easier to move across to
IIS and use the Win32 library to get access?

Normally, I wouldn''t recommend using Windows as a Rails server, but
your case would be an exception.

Regards

Dave M.

On 18/05/06, Steve Koppelman <hatlessnyc@yahoo.com>
wrote:
> There''s at least one NTLM Apache module for Unix, maybe more.
Google the
> terms apache ntlm.
>
> Alain Ravet wrote:
> > Jens,
> >
> >    > I have been successful with this by using IIS as a proxy with
a
> > tool called
> >    > isapirewrite. I used the excellent instructions written by
Brian
> > Hogan.
> >    > To get IIS to pass on the credentials in a header
> > ..
> >
> > I should have mentioned that my app runs in a separate Linux server -
> > no IIS- with Mongrel. It''s only the clients''
desktops that are running
> > on Windows with IE.
> >
> >
> > To complete the picture, once I have obtained the login and password,
> > I use them to check with LDAP if the user has enough rights to use my
> > Rails app.
> >
> > Alain
>
>
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

It is up to your web server to accept NTLM credentials from IE and then 
pass them on to Rails as an environment variable.

For Apache on Windows you can use mod-auth-sspi

Latest version: mod_auth_sspi-1.0.4-rc1-2.0.55

This will work flawlessly with IE.  Here is a sample from my httpd.conf 
that uses a group to authenticate:

Alias /snag "C:/rails/snag/public/"
<Directory "C:/rails/snag/public">
    AddHandler fastcgi-script .fcgi
    Options +ExecCGI
    AllowOverride all
    Allow from all
    Order allow,deny
   
    AuthName "Authenticate to AD"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    Require Group MFC\TN_W_SNAG
</Directory>

You can then pull which user has authenticated using an environment 
variable - I can''t remember which.

I don''t see any way you are going to pull this off with Mongrel.  You 
can either use IIS on Windows or Apache on Windows unless someone writes 
some NTLM code for Mongrel.

Charles


Alain Ravet wrote:
> Jens,
>
>   > I have been successful with this by using IIS as a proxy with a 
> tool called
>   > isapirewrite. I used the excellent instructions written by Brian 
> Hogan.
>   > To get IIS to pass on the credentials in a header
> ..
>
> I should have mentioned that my app runs in a separate Linux server -
> no IIS- with Mongrel. It''s only the clients'' desktops
that are running
> on Windows with IE.
>
>
> To complete the picture, once I have obtained the login and password,
> I use them to check with LDAP if the user has enough rights to use my
> Rails app.
>
> Alain
> ------------------------------------------------------------------------
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

Proxy across from IIS to Mongrel. It''s super simple. My guides will
help
although they''re a little out of date now that Mongrel has changed a
few
things. But the IIS part will work fine for you.  You''ll need to spend
$70
on the redirecting filter for IIS.

If that''s not an option, the above Apache configuration should work
well.

On 6/30/06, Charles Leeds <charlesleeds@rowdyrhino.com>
wrote:
>
> It is up to your web server to accept NTLM credentials from IE and then
> pass them on to Rails as an environment variable.
>
> For Apache on Windows you can use mod-auth-sspi
>
> Latest version: mod_auth_sspi-1.0.4-rc1-2.0.55
>
> This will work flawlessly with IE.  Here is a sample from my httpd.conf
> that uses a group to authenticate:
>
> Alias /snag "C:/rails/snag/public/"
> <Directory "C:/rails/snag/public">
>     AddHandler fastcgi-script .fcgi
>     Options +ExecCGI
>     AllowOverride all
>     Allow from all
>     Order allow,deny
>
>     AuthName "Authenticate to AD"
>     AuthType SSPI
>     SSPIAuth On
>     SSPIAuthoritative On
>     Require Group MFC\TN_W_SNAG
> </Directory>
>
> You can then pull which user has authenticated using an environment
> variable - I can''t remember which.
>
> I don''t see any way you are going to pull this off with Mongrel. 
You
> can either use IIS on Windows or Apache on Windows unless someone writes
> some NTLM code for Mongrel.
>
> Charles
>
>
> Alain Ravet wrote:
> > Jens,
> >
> >   > I have been successful with this by using IIS as a proxy with a
> > tool called
> >   > isapirewrite. I used the excellent instructions written by
Brian
> > Hogan.
> >   > To get IIS to pass on the credentials in a header
> > ..
> >
> > I should have mentioned that my app runs in a separate Linux server -
> > no IIS- with Mongrel. It''s only the clients''
desktops that are running
> > on Windows with IE.
> >
> >
> > To complete the picture, once I have obtained the login and password,
> > I use them to check with LDAP if the user has enough rights to use my
> > Rails app.
> >
> > Alain
> >
------------------------------------------------------------------------
> >
> > _______________________________________________
> > Rails mailing list
> > Rails@lists.rubyonrails.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060630/d46ec65e/attachment.html

How did you get a hold of the LOGON_USER server variable in rails? I have got my
rails app running through IIS on a mongrel cluster and using lighttpd to load
balance as described in the instructions written by Bryan Hogan. I added the
''A'' flag to the RewriteProxy directive of isapirewrite which
in the documentation is supposed to send a variable called
ISRW-Proxy-LOGON-USER, but I am not getting it. Any help is appreciated!

On Tue, 2006-07-11 at 14:27 -0500, nicksmooth wrote:
> ISRW-Proxy-LOGON-USER
That would come out as HTTP_ISRW_PROXY_LOGON_USER if that''s right.  Run
your Mongrel app real quick with the -B option, then go checkout the
log/mongrel_debug/rails.log to see what your server is handing rails and
what rails thinks of it.


-- 
Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
http://www.railsmachine.com/ -- Need Mongrel support?