SSO Authentication - Apache/PHP/ActiveDirectory

Question

I want to make an intranet with SSO Authentication through Active Directory. I searched about and I found maybe two ways :

1. Using the apache module mod_authnz_sspi. I can get the username and the domain but it seems there is no authentication. Maybe I don't really get it...

   Here my apache conf for this module :

    
       AuthType SSPI
       SSPIAuth On
       SSPIAuthoritative On
       SSPIOfferBasic On
       SSPIOmitDomain Off
       SSPIDomain MyDOMAIN
       Require valid-user
   
   

   So I guess the "connection" is not really safe...

2. Using the apache module mod_authnz_ldap but I can't make it works well...

   Here my apache conf for this module :

    
      
      AuthName "LDAP Authentication"
      AuthType Basic
      AuthBasicProvider ldap
      AuthLDAPBindAuthoritative off
      AuthLDAPURL "ldap://ad.server.fr:389/DC=server,DC=local?sAMAccountName?sub?(objectClass=person)" NONE
      AuthLDAPBindDN ldap@server.local
      AuthLDAPBindPassword password
      AuthLDAPRemoteUserAttribute on
      LDAPReferrals Off
   
   

   I got this error LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead. but I don't want to use SSL for the connection...

   Actually I don't really get how this works. My active directory doesn't get connection from my apache or just maybe anonymous.

Now I don't know how to make a SSO Authentication on my intranet. Which way is better ? Is there another one ?

I use wamp (for windows) with apache 2.4.4.

Answer 1

I use apache 2.4.4, on windows xp, with mod_authnz_sspi and the following works for me for people using IE8. But i'm not using PHP. Using Django.

<Location "/k/">
    AuthName "Something"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain "COMPANY"
    SSPIUsernameCase "upper" 
    require valid-user
    SSPIPerRequestAuth Off
    require user "NT AUTHORITY\ANONYMOUS LOGON" denied
</Location>