Seamless SSO authenticating against Active Directory

Question

I have a webpage that I only want a specific group to log into.

I work at a college and we use Active Directory accounts and only a certain group can access this php page (on apache server).

I know I can restrict access with some PHP code, but I want to accomplish seamless login.

Everyone uses IE7 at work (which are configured to pass the proper credentials), and are required to log into the computer (which logs them into the domain controller).

When the user goes to http://intranet, they will automatically be logged in, since they logged into their computer earlier.

If a user goes to http://intranet.domain.com, it will prompt them for their credentials.

I know I need to use kerberos for authentication and LDAP for authorization.

Has anyone had success at seamless authentication?

Answer 1

There are commercial products that offer this as Apache modules, see the links at the end of the Wikipedia article on SPNEGO (eg. Guide to SPNEGO with Apache). I know also of some php modules like php_krb5: php_krb5 beta / Negotiate auth with GSSAPI for PHP, or Apache modules like mod_auth_kerb. I never used them myself though.

As for going the whole 9 yards and implementing Negotiate auth in PHP, I did implement in my life RFC 2617 in PHP for Digest HTTP auth and I did implement Windows SSPI authentication modules, but I never tried to implement RFC 4559 in PHP. While the HTTP auth part is fairly trivial, the opaque GSS-API part is daunting, even provided you have a good GSS-API library at your disposal for RFC 2743.

Answer 2

This is because you need to add intranet.domain.local to the Local Intranet zone in IE. Check this article for details: http://www.sysadminlab.net/other/local-intranet-zone-in-ie8-exaplained-for-sysadmins