Hi folks
I wish to migrate Windows IIS webserver to CentOS. Killer-Feature is SSO with Windows Integrated Authentication[0].
Anyone have experience with such a setup and can say a few sentences how to do that and if its stable?
kind regards Sven Aluoor
(Please CC me I am not on the list) [0] http://bayimg.com/image/hanogaabi.jpg
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Sven Sent: Friday, February 13, 2009 6:11 AM To: CentOS mailing list Subject: [CentOS] Practical experience with NTLM/Windows IntegratedAuthentication [Apache]
Hi folks
I wish to migrate Windows IIS webserver to CentOS. Killer-Feature is SSO with Windows Integrated Authentication[0].
Anyone have experience with such a setup and can say a few sentences how to do that and if its stable?
---- Now that sounds like a .aspx and .Net Web App which will not run under CentOS (Apache) (1). But also it depends though on what your wanting to actually do on Apache. WIA can still work for example running an app under centos using apache to access MSSQL server. It just totally depends on what cat your trying to skin. BTW .Net Version 1 which is Mono on CentOS Apache has somewhat doable functionality. With Apache on Winblows it can parse .aspx (.Net) requests. That is a lot of code testing to get it to a usable state and is NOT worth the effort involved in doing so. You can move all your web apps for example and still have Single Sign On accessing Active Directory on the winblows PDC.
All in all your best to stay where your at on IIS and start from the ground up on CentOS and Apache. Some Fast CGI IIS Apps will work under Apache keep that in mind.
(1) Requires lots worthless work! In other words do not waist your time.
JohnStanley
On Fri, 2009-02-13 at 12:11 +0100, Sven wrote:
I wish to migrate Windows IIS webserver to CentOS. Killer-Feature is SSO with Windows Integrated Authentication[0].
Anyone have experience with such a setup and can say a few sentences how to do that and if its stable?
I've done this on a few servers at work and it works great. Stable and essentially hands off after the initial config. The very first time I set it up, I had a tough time figuring out all the bits that were necessary to make it work, but I guess that's true of anything you do the first time.
You know what the best part is? Nothing was documented. HA! It's actually quite horrible. My plan is to set up the Apache/Windows AD integration again on another box and to document it at that time.
Your two keys to success:
1. you better have a solid understanding of administering a CentOS system. You don't have to know Apache inside and out, but good grasp of how to configure apache is a plus.
2. make sure your Windows ADS is configured properly. If there's anything that will throw off your project, it's the Windows server. Your Windows admin better know his stuff!
Regards,
Ranbir
On Fri, Feb 13, 2009 at 8:22 PM, Kanwar Ranbir Sandhu m3freak@thesandhufamily.ca wrote:
On Fri, 2009-02-13 at 12:11 +0100, Sven wrote:
I wish to migrate Windows IIS webserver to CentOS. Killer-Feature is SSO with Windows Integrated Authentication[0].
Anyone have experience with such a setup and can say a few sentences how to do that and if its stable?
I've done this on a few servers at work and it works great. Stable and essentially hands off after the initial config. The very first time I set it up, I had a tough time figuring out all the bits that were necessary to make it work, but I guess that's true of anything you do the first time.
You know what the best part is? Nothing was documented. HA! It's actually quite horrible. My plan is to set up the Apache/Windows AD integration again on another box and to document it at that time.
Your two keys to success:
- you better have a solid understanding of administering a CentOS
system. You don't have to know Apache inside and out, but good grasp of how to configure apache is a plus.
- make sure your Windows ADS is configured properly. If there's
anything that will throw off your project, it's the Windows server. Your Windows admin better know his stuff!
OK, so you say it's possible, but how about some hints? You're leaving us completely in the dark here.
On Sat, 2009-02-14 at 09:14 -0600, Jeff wrote:
OK, so you say it's possible, but how about some hints? You're leaving us completely in the dark here.
The problem is I don't have a step-by-step procedure to give you because I didn't document as I went along. Working in smaller company usually means documentation gets delayed or not done at all, unfortunately (not enough time to do it!).
I'll see if I saved the links I found the most useful when I did the integration (on my work PC, so has to wait until Feb 17th, at least). The websites I used will hopefully be useful to you, too.
Regards,
Ranbir
Hi,
Last year I tried to get this working on a CentOS 4 server, but I could not get it running.
I used this module at the time: http://adldap.sourceforge.net/wiki/doku.php?id=mod_auth_ntlm_winbind
I spent some time trying to figure out what was the issue, but eventually I just gave up. I believe I had some problem on the Samba config somewhere...
My current job is Linux only so I never tried this again, maybe it would work under CentOS 5, it might be worth the try...
HTH, Filipe
Sven wrote:
Hi folks
I wish to migrate Windows IIS webserver to CentOS. Killer-Feature is SSO with Windows Integrated Authentication[0].
Cor...you are asking for a tough one here.
Anyone have experience with such a setup and can say a few sentences how to do that and if its stable?
No experience with apache in particular but for SSO to work, Kerberos will have to be involved.
Hmm, a Google on apache kerberos produced this:
http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/
Have fun. Oh, I believe this will only work with IE clients on the desktop side of things unless Mozilla or whatever else out there has kerberos support too.
Hi,
On Sun, Feb 15, 2009 at 19:02, Christopher Chan christopher.chan@bradbury.edu.hk wrote:
Have fun. Oh, I believe this will only work with IE clients on the desktop side of things unless Mozilla or whatever else out there has kerberos support too.
No, NTLM auth works in Firefox (at least on Firefox on Windows, I don't think it will work in other platforms though).
I tested configuring Firefox on Windows to do NTLM auth, and it worked with the IIS sites my company had. As I said before, unfortunately I couldn't get Apache on Linux to work with NTLM authentication.
See: http://www.crossedconnections.org/w/?p=89 http://www.cauldwell.net/patrick/blog/PermaLink,guid,c7f1e799-c4ae-4758-9de7... http://kb.mozillazine.org/Network.automatic-ntlm-auth.trusted-uris
HTH, Filipe
Filipe Brandenburger wrote:
Hi,
On Sun, Feb 15, 2009 at 19:02, Christopher Chan christopher.chan@bradbury.edu.hk wrote:
Have fun. Oh, I believe this will only work with IE clients on the desktop side of things unless Mozilla or whatever else out there has kerberos support too.
No, NTLM auth works in Firefox (at least on Firefox on Windows, I don't think it will work in other platforms though).
Okay.
I tested configuring Firefox on Windows to do NTLM auth, and it worked with the IIS sites my company had. As I said before, unfortunately I couldn't get Apache on Linux to work with NTLM authentication.
Too bad. However, based on your information I found this on Google:
http://sivel.net/2007/05/sso-apache-ad-1/
Thanks Filipe. Now I guess I can have a crack at this too.
Christopher
Too bad. However, based on your information I found this on Google:
http://sivel.net/2007/05/sso-apache-ad-1/
Thanks Filipe. Now I guess I can have a crack at this too.
I haven't tried this one, but make note it lacks NTLMv2 and group support which made it non usable in my environment. Like Filipe suggested mod_auth_ntlm_winbind addresses this but it appears it's not actively maintained and I got stuck configuring it and gave up...
jlc
On Tue, 2009-02-17 at 10:27 -0700, Joseph L. Casale wrote:
I haven't tried this one, but make note it lacks NTLMv2 and group support which made it non usable in my environment. Like Filipe suggested mod_auth_ntlm_winbind addresses this but it appears it's not actively maintained and I got stuck configuring it and gave up...
I believe you can use kerberos auth and group lookups. For the group support, you need to do direct LDAP lookups. Just run a google search for 'kerberos apache group', or something along those lines, to find some links discussing what I've mentioned here.
Regards,
Ranbir
On Tue, Feb 17, 2009 at 2:59 PM, Kanwar Ranbir Sandhu m3freak@thesandhufamily.ca wrote:
On Tue, 2009-02-17 at 10:27 -0700, Joseph L. Casale wrote:
I haven't tried this one, but make note it lacks NTLMv2 and group support which made it non usable in my environment. Like Filipe suggested mod_auth_ntlm_winbind addresses this but it appears it's not actively maintained and I got stuck configuring it and gave up...
I believe you can use kerberos auth and group lookups. For the group support, you need to do direct LDAP lookups. Just run a google search for 'kerberos apache group', or something along those lines, to find some links discussing what I've mentioned here.
If you have a lot of hosts that need access to winbind mapped UIDs/GIDs instead of setting up winbind everywhere and having a administrative headache if the RID mapping gets messed up on one host, setup a winbind to NIS server that puts the mappings into NIS maps and propagate the information that way. Only real difference on the other hosts is to switch 'winbind' to 'nis' in nsswitch.conf.
-Ross
If you have a lot of hosts that need access to winbind mapped UIDs/GIDs instead of setting up winbind everywhere and having a administrative headache if the RID mapping gets messed up on one host, setup a winbind to NIS server that puts the mappings into NIS maps and propagate the information that way. Only real difference on the other hosts is to switch 'winbind' to 'nis' in nsswitch.conf.
What's wrong with winbind on a ldap backend? I have winbind installed everywhere...all pointing to a single ldap instance.
On Feb 17, 2009, at 7:50 PM, Christopher Chan <christopher.chan@bradbury.edu.hk
wrote:
If you have a lot of hosts that need access to winbind mapped UIDs/GIDs instead of setting up winbind everywhere and having a administrative headache if the RID mapping gets messed up on one host, setup a winbind to NIS server that puts the mappings into NIS maps and propagate the information that way. Only real difference on the other hosts is to switch 'winbind' to 'nis' in nsswitch.conf.
What's wrong with winbind on a ldap backend? I have winbind installed everywhere...all pointing to a single ldap instance.
Well yeah you can use ldap too to keep the rid mappings centralized. I just think configuring ldap, putting schema together and configuring samba everywhere is more work then nis, but to each their own.
-Ross
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
Behalf
Of Filipe Brandenburger Sent: Monday, February 16, 2009 3:58 AM To: CentOS mailing list Subject: Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
No, NTLM auth works in Firefox (at least on Firefox on Windows, I don't think it will work in other platforms though).
It doesn't. NTLM auth to eg Sharepoint sites works fine with Firefox in Windows. Setting the same things in Firefox under linux and having it login to sharepoint doesn't.
-
Christopher Chan -
Filipe Brandenburger -
Jeff -
John -
Joseph L. Casale -
Kanwar Ranbir Sandhu -
Ross Walker -
Sorin Srbu -
Sven