Forum: Ruby on Rails Using NTLM for S.S.O. in Rails

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Alain R. (Guest)
on 2006-05-17 11:46
Greetings all,


To all the good souls that happen to know NTLM and Rails....


Short version:
--------------
- I'm looking for server code to extract credentials through NTLM dialog
with the client (IE)
- I found nothing usable/useful (as they both implement the client side
code) in
    - rubyntlm on rubyforge
    - lib ntlm-ruby by Jonathan Bastien-Filiatrau


LONG version:
--------------
Version 1 of an application I've just finished requires the client
enters a login and password. As this is a closed application in a pure
Windows environment and everybody uses IE, I was asked to use SSO to
avoid this step, as the users are already logged in at this stage.

The way I understand it, I need my Rails app to implement the server
side of the NTLM handshake to have IE send it the user's login and
password.
Unfortunately, all the ruby code and samples I've found -see above ref.-
implement the client side of the handshake (meaning: the ruby
application is the client trying to reach a NTLM savvy server).

Has anybody already solved this problem in Rails?

Many thanks in advance.


Alain
PA (Guest)
on 2006-05-17 11:59
(Received via mailing list)
On May 17, 2006, at 09:46, Alain R. wrote:

> Has anybody already solved this problem in Rails?

Not sure about Rails, but take a look at CIFS for a Java
implementation. Perhaps there is a Ruby implementation as well, or you
could simply port it yourself :))

"Note: This functionality is a non-conformant extension to HTTP
conceived entirely by Microsoft. It inappropriately uses HTTP headers
and therefore may not work with all Servlet containers or may stop
working with a new release of your application server. Also, this
flavor of password encryption is not very secure so under no
circumstances should it be used to authenticate clients on the
Internet."

http://jcifs.samba.org/

"JCIFS NTLM HTTP Authentication"
http://jcifs.samba.org/src/docs/ntlmhttpauth.html

"The NTLM Authentication Protocol"
http://davenport.sourceforge.net/ntlm.html

"NTLM Authentication Scheme for HTTP"
http://www.innovation.ch/personal/ronald/ntlm.html

Cheers

--
PA, Onnay Equitursay
http://alt.textdrive.com/
Jens Norrgrann (Guest)
on 2006-05-17 11:59
(Received via mailing list)
Hello,

I have been successful with this by using IIS as a proxy with a tool
called
isapirewrite <http://www.isapirewrite.com/>. I used the excellent
instructions <http://www.napcs.com/howto/rails/deploy/> written by Brian
Hogan.
To get IIS to pass on the credentials in a header I had to add an option
to
rewrite rule. I don't have access to the configuration right now but
it's
documented in the isapirewrite documentation.

Regards,

Jens Norrgrann
Conside Solutions AB
Alain R. (Guest)
on 2006-05-17 12:11
(Received via mailing list)
Jens,

   > I have been successful with this by using IIS as a proxy with a
tool called
   > isapirewrite. I used the excellent instructions written by Brian
Hogan.
   > To get IIS to pass on the credentials in a header
..

I should have mentioned that my app runs in a separate Linux server -
no IIS- with Mongrel. It's only the clients' desktops that are running
on Windows with IE.


To complete the picture, once I have obtained the login and password,
I use them to check with LDAP if the user has enough rights to use my
Rails app.

Alain
Chang Sau S. (Guest)
on 2006-05-17 12:23
(Received via mailing list)
Never did this before, just a wild stab of a suggestion, but have you
tried doing it from the Win32 module? It might save you a lot of effort
if you use Windows' native calls to access NTLM instead.

Alain R. wrote:
> - I found nothing usable/useful (as they both implement the client side
> avoid this step, as the users are already logged in at this stage.
> Many thanks in advance.
>
>
> Alain
>
>
>
>


--
Sau S.

http://blog.saush.com
http://www.projectible.com
http://jaccal.sourceforge.net
Jens Norrgrann (Guest)
on 2006-05-17 12:42
(Received via mailing list)
>I should have mentioned that my app runs in a separate Linux server -
>no IIS- with Mongrel. It's only the clients' desktops that are running
>on Windows with IE.
>
>
>To complete the picture, once I have obtained the login and password,
>I use them to check with LDAP if the user has enough rights to use my
>Rails app.

Well I don't know if it is possible, but couldn't you proxy from IIS on
windows to the Linux server?

Jens
Alain R. (Guest)
on 2006-05-17 12:42
(Received via mailing list)
Chang,

   > have you tried doing it from the Win32 module? It might save you
a lot of effort
   > if you use Windows' native calls to access NTLM instead.


Win32 module?
I don't understand your suggestion: this is a pure Rails app running
in a linux server, that must seamessly obtain credentials info from a
remote IE browser.

Alain
Chang Sau S. (Guest)
on 2006-05-17 16:16
(Received via mailing list)
Yes, my bad, I didn't read the other posts, didn't realise that u are
running it on Linux.

Alain R. wrote:
> remote IE browser.
>
> Alain


--
Sau S.

http://blog.saush.com
http://www.projectible.com
http://jaccal.sourceforge.net
Steve K. (Guest)
on 2006-05-17 18:18
There's at least one NTLM Apache module for Unix, maybe more. Google the
terms apache ntlm.

Alain R. wrote:
> Jens,
>
>    > I have been successful with this by using IIS as a proxy with a
> tool called
>    > isapirewrite. I used the excellent instructions written by Brian
> Hogan.
>    > To get IIS to pass on the credentials in a header
> ..
>
> I should have mentioned that my app runs in a separate Linux server -
> no IIS- with Mongrel. It's only the clients' desktops that are running
> on Windows with IE.
>
>
> To complete the picture, once I have obtained the login and password,
> I use them to check with LDAP if the user has enough rights to use my
> Rails app.
>
> Alain
David M. (Guest)
on 2006-05-18 01:02
(Received via mailing list)
Just a thought: rather than knocking yourself out trying to get this
working on Apache/Linux, wouldn't it just be easier to move across to
IIS and use the Win32 library to get access?

Normally, I wouldn't recommend using Windows as a Rails server, but
your case would be an exception.

Regards

Dave M.
Charles L. (Guest)
on 2006-06-30 18:25
(Received via mailing list)
It is up to your web server to accept NTLM credentials from IE and then
pass them on to Rails as an environment variable.

For Apache on Windows you can use mod-auth-sspi

Latest version: mod_auth_sspi-1.0.4-rc1-2.0.55

This will work flawlessly with IE.  Here is a sample from my httpd.conf
that uses a group to authenticate:

Alias /snag "C:/rails/snag/public/"
<Directory "C:/rails/snag/public">
    AddHandler fastcgi-script .fcgi
    Options +ExecCGI
    AllowOverride all
    Allow from all
    Order allow,deny

    AuthName "Authenticate to AD"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    Require Group MFC\TN_W_SNAG
</Directory>

You can then pull which user has authenticated using an environment
variable - I can't remember which.

I don't see any way you are going to pull this off with Mongrel.  You
can either use IIS on Windows or Apache on Windows unless someone writes
some NTLM code for Mongrel.

Charles
Brian H. (Guest)
on 2006-06-30 18:48
(Received via mailing list)
Proxy across from IIS to Mongrel. It's super simple. My guides will help
although they're a little out of date now that Mongrel has changed a few
things. But the IIS part will work fine for you.  You'll need to spend
$70
on the redirecting filter for IIS.

If that's not an option, the above Apache configuration should work
well.
nicksmooth (Guest)
on 2006-07-12 01:11
(Received via mailing list)
How did you get a hold of the LOGON_USER server variable in rails? I
have got my rails app running through IIS on a mongrel cluster and using
lighttpd to load balance as described in the instructions written by
Bryan Hogan. I added the 'A' flag to the RewriteProxy directive of
isapirewrite which in the documentation is supposed to send a variable
called ISRW-Proxy-LOGON-USER, but I am not getting it. Any help is
appreciated!
This topic is locked and can not be replied to.