Using NTLM for S.S.O. in Rails


#1

Greetings all,

To all the good souls that happen to know NTLM and Rails…

Short version:

  • I’m looking for server code to extract credentials through NTLM dialog
    with the client (IE)
  • I found nothing usable/useful (as they both implement the client side
    code) in
    • rubyntlm on rubyforge
    • lib ntlm-ruby by Jonathan Bastien-Filiatrau

LONG version:

Version 1 of an application I’ve just finished requires the client
enters a login and password. As this is a closed application in a pure
Windows environment and everybody uses IE, I was asked to use SSO to
avoid this step, as the users are already logged in at this stage.

The way I understand it, I need my Rails app to implement the server
side of the NTLM handshake to have IE send it the user’s login and
password.
Unfortunately, all the ruby code and samples I’ve found -see above ref.-
implement the client side of the handshake (meaning: the ruby
application is the client trying to reach a NTLM savvy server).

Has anybody already solved this problem in Rails?

Many thanks in advance.

Alain


#2

On May 17, 2006, at 09:46, Alain R. wrote:

Has anybody already solved this problem in Rails?

Not sure about Rails, but take a look at CIFS for a Java
implementation. Perhaps there is a Ruby implementation as well, or you
could simply port it yourself :))

“Note: This functionality is a non-conformant extension to HTTP
conceived entirely by Microsoft. It inappropriately uses HTTP headers
and therefore may not work with all Servlet containers or may stop
working with a new release of your application server. Also, this
flavor of password encryption is not very secure so under no
circumstances should it be used to authenticate clients on the
Internet.”

http://jcifs.samba.org/

“JCIFS NTLM HTTP Authentication”
http://jcifs.samba.org/src/docs/ntlmhttpauth.html

“The NTLM Authentication Protocol”
http://davenport.sourceforge.net/ntlm.html

“NTLM Authentication Scheme for HTTP”
http://www.innovation.ch/personal/ronald/ntlm.html

Cheers


PA, Onnay Equitursay
http://alt.textdrive.com/


#3

Hello,

I have been successful with this by using IIS as a proxy with a tool
called
isapirewrite http://www.isapirewrite.com/. I used the excellent
instructions http://www.napcs.com/howto/rails/deploy/ written by Brian
Hogan.
To get IIS to pass on the credentials in a header I had to add an option
to
rewrite rule. I don’t have access to the configuration right now but
it’s
documented in the isapirewrite documentation.

Regards,

Jens Norrgrann
Conside Solutions AB


#4

Jens,

I have been successful with this by using IIS as a proxy with a
tool called
isapirewrite. I used the excellent instructions written by Brian
Hogan.
To get IIS to pass on the credentials in a header

I should have mentioned that my app runs in a separate Linux server -
no IIS- with Mongrel. It’s only the clients’ desktops that are running
on Windows with IE.

To complete the picture, once I have obtained the login and password,
I use them to check with LDAP if the user has enough rights to use my
Rails app.

Alain


#5

Never did this before, just a wild stab of a suggestion, but have you
tried doing it from the Win32 module? It might save you a lot of effort
if you use Windows’ native calls to access NTLM instead.

Alain R. wrote:

  • I found nothing usable/useful (as they both implement the client side
    avoid this step, as the users are already logged in at this stage.
    Many thanks in advance.

Alain


Sau S.


http://www.projectible.com
http://jaccal.sourceforge.net


#6

Chang,

have you tried doing it from the Win32 module? It might save you
a lot of effort
if you use Windows’ native calls to access NTLM instead.

Win32 module?
I don’t understand your suggestion: this is a pure Rails app running
in a linux server, that must seamessly obtain credentials info from a
remote IE browser.

Alain


#7

I should have mentioned that my app runs in a separate Linux server -
no IIS- with Mongrel. It’s only the clients’ desktops that are running
on Windows with IE.

To complete the picture, once I have obtained the login and password,
I use them to check with LDAP if the user has enough rights to use my
Rails app.

Well I don’t know if it is possible, but couldn’t you proxy from IIS on
windows to the Linux server?

Jens


#8

Yes, my bad, I didn’t read the other posts, didn’t realise that u are
running it on Linux.

Alain R. wrote:

remote IE browser.

Alain


Sau S.


http://www.projectible.com
http://jaccal.sourceforge.net


#9

There’s at least one NTLM Apache module for Unix, maybe more. Google the
terms apache ntlm.

Alain R. wrote:

Jens,

I have been successful with this by using IIS as a proxy with a
tool called
isapirewrite. I used the excellent instructions written by Brian
Hogan.
To get IIS to pass on the credentials in a header

I should have mentioned that my app runs in a separate Linux server -
no IIS- with Mongrel. It’s only the clients’ desktops that are running
on Windows with IE.

To complete the picture, once I have obtained the login and password,
I use them to check with LDAP if the user has enough rights to use my
Rails app.

Alain


#10

It is up to your web server to accept NTLM credentials from IE and then
pass them on to Rails as an environment variable.

For Apache on Windows you can use mod-auth-sspi

Latest version: mod_auth_sspi-1.0.4-rc1-2.0.55

This will work flawlessly with IE. Here is a sample from my httpd.conf
that uses a group to authenticate:

Alias /snag “C:/rails/snag/public/”
<Directory “C:/rails/snag/public”>
AddHandler fastcgi-script .fcgi
Options +ExecCGI
AllowOverride all
Allow from all
Order allow,deny

AuthName "Authenticate to AD"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
Require Group MFC\TN_W_SNAG

You can then pull which user has authenticated using an environment
variable - I can’t remember which.

I don’t see any way you are going to pull this off with Mongrel. You
can either use IIS on Windows or Apache on Windows unless someone writes
some NTLM code for Mongrel.

Charles


#11

Just a thought: rather than knocking yourself out trying to get this
working on Apache/Linux, wouldn’t it just be easier to move across to
IIS and use the Win32 library to get access?

Normally, I wouldn’t recommend using Windows as a Rails server, but
your case would be an exception.

Regards

Dave M.


#12

Proxy across from IIS to Mongrel. It’s super simple. My guides will help
although they’re a little out of date now that Mongrel has changed a few
things. But the IIS part will work fine for you. You’ll need to spend
$70
on the redirecting filter for IIS.

If that’s not an option, the above Apache configuration should work
well.


#13

How did you get a hold of the LOGON_USER server variable in rails? I
have got my rails app running through IIS on a mongrel cluster and using
lighttpd to load balance as described in the instructions written by
Bryan Hogan. I added the ‘A’ flag to the RewriteProxy directive of
isapirewrite which in the documentation is supposed to send a variable
called ISRW-Proxy-LOGON-USER, but I am not getting it. Any help is
appreciated!