-----Original Message----- From: André Warnier [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 1:06 PM Subject: Re: [EMAIL PROTECTED] Sspi login prompts - enable more than one
Gallardo, Lisa wrote: > I have sspi module enabled on website (windows 2003, apache 2.0) and > have googled to figure out how to get the login prompt to prompt at > least 3 times (if incorrect password submitted) but so far only get > one prompt and then error page of no access which freaks folks out. > Plus, they can't go back or refresh page because it's set in their cookies. > > Is there somewhere in the httpd.conf file I can set more than one > login prompt for the site? > To answer you second question first : I don't think so. This kind of thing is more likely due to the browser settings. But there is something else that bothers me above : When you use something like sspi, it is usually because you want the users browsers, in an Intranet that is also a Windows Domain, to be able to authenticate to the Apache webserver using their Windows Domain user-id (which is already known to the workstation at that point, since they have already logged in to the Windows Domain). In that context, when the login dialog even appears once in the browser, it is already an indication of a failure. It means that the (automatic) Windows authentication has failed, and that the browser is "falling back" to Basic authentication. And since the server will not accept this form of authentication, the browser login will *never* succeed. No matter how often the login dialog comes back. Now, assuming your users are in an Intranet and a Windows Domain, I would first check the configuration of the browsers, and particularly a checkbox somewhere (in IE) saying "Allow Windows Integrated Authentication". And if the browsers are not directly inside the Domain, then you may also want to add your webserver's hostname to the list of "trusted hosts". Try again then and let us know. ---- Thank you so much Andre for your reply! When users are at work they do have IE set up as you stated above: the site is in the intranet security zone for automatic login and Allow Windows Integrated Authentication is checked. But when they are at home or away from the office they can also access by entering their user login and password. This is when the login prompts and it only prompts once then gives the error message if credentials are incorrect. It's set up like this in my config: AuthName "Password Required" AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOmitDomain On require group domain\domainuser When outside the network is there a way to have apache use ldap instead? If this is uncommented will it work with sspi for outside the network? And will it prompt twice? ##########MM_MOD_LDAP_AUTH #AuthName "Intranet Users Only" #AuthType Basic #LDAP_Debug On #LDAP_Server DOMAIN.local #LDAP_Port 389 #LDAP_Protocol_Version 3 #Base_DN "dc=DOMAIN,dc=local" #Bind_DN "CN=User,OU=Service Accounts,OU=Department,OU=Office,DC=DOMAIN,DC=local" #Bind_Pass "xxxxxxx" #UID_Attr sAMAccountName #require valid-user #require user #require roomnumber "123 Center Building" #require filter "(&(telephonenumber=1234)(roomnumber=123))" #Group_Attr member #require group "CN=User,OU=Groups,OU=Office" --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
