I'm currently building a Drupal website in an Active Directory environment. One of the site's requirements is Single Sign On, which to date seems to be impossible because there is no Kerberos SPNEGO/GSSAPI auth module for drupal. I've come up with an idea on how SSO could be attempted on IIS. Since IIS has the option to require Kerberos authentication, we can let IIS handle authentication and use the AUTH_USER server variable to pass the authorized user name to the an 'improved' LDAP_auth module. The LDAP_auth module would then check the user name (but not password since it doesn't know or need to know the password) against LDAP to get the user's roles. (AD groups) Does anyone know if this is possible? If so, does anyone have any ideas on how to implement this?
A:
IIRC, the Webserver authentication module does pretty much what you describe and has been used to set up similar solutions on Apache running mod_auth_kerb. It might need a little tweaking to work with IIS.
Henrik Opel
2010-05-26 01:14:55