I thought I’d go ahead and post this here, since I haven’t had time to
do a full write up for my site but some people might find it useful.

How we authenticate with NTLM and IE passthrough:

What we did is set up a second rails app that uses mod_auth_sspi in
apache to authenticate (we also did it on IIS using a php file, since
IIS makes it easy to do single file permissions). I also wrote a plugin
that supplies an authenticate method for use with a before_filter, like
the login_generator does. The authenticate method looks for a cookie and
redirects to the secured rails app if it doesn’t find one. This avoids a
problem ajax methods seem to have using http authentication schemes.
You can use a second function “authenticate_dont_redirect” to check for
the cookie, but not try to redirect to the authentication app. This lets
you still check for a valid user with ajax methods, but doesn’t have the
problem of the authentication loop.

I also wrote a library to interact with active directory through the use
of Win32 api calls instead of LDAP (I couldn’t get ActiveDirectory
(active record like LDAP interface) or RubyLDAP to run on Win32)

If you have my ActiveDirectory plugin installed then the @logged_user
object created by authenticate is return as a User object and you can
easily get the username, firstname, lastname, etc. If not then it just
returns the username.

You can get my plugins and the authentication rails app from

There are comments in the source files, as well as the directory
configuration for httpd.conf for mod_auth_sspi. I can’t remember right
now where to download it. It does have to be used with Apache on Win32.
Also, we used a subfolder set-up but you could use a virtual server
approach. You’d need to actually change the authentication plugin to use
virtual servers, I haven’t added configuration options to it yet to
configure where the authentication app resides.

When stuff slows down at school (end of semester, senior year, really
busy time) I’ll write up something on giving a more
detailed walk through of using the plugins, especially the
ActiveDirectory plugin. Note that ActiveDirectory doesn’t have to be a
rails plugin, I’ve found it useful for non-rails ruby things too, but I
packaged it up as a plugin to make it easier to use for our apps.

Also note that I stripped out the test code from the active directory
plugin before posting it to the world, since it needed internal
information to actually be tested.


CONFIDENTIALITY NOTICE: The information in this electronic message
(including any attachments) is confidential and may be privileged or
proprietary. If you are not the intended recipient, any dissemination,
disclosure, copying, downloading, or other use of the information is
prohibited and unauthorized, and may be unlawful, regardless of address
or routing. If you are not the intended recipient, please inform the
sender immediately and permanently delete and destroy the original and
any copies of this message, including any attachments.