Topic on Project:Support desk

Auto Login to Mediawiki (Auth remoteuser Extension)

21 comments • 20:47, 21 July 2015 8 years ago
21
2401:7400:C800:32AC:B49F:9B0F:5103:9928 (talkcontribs)

Hi folks,


I am trying to implement an auto login function into my mediawiki by using their windows credentials. I am using Apache Server.

I have implemented the Auth remoteuser extension and has implemented the mod_auth_sspi.so in my httpd.conf file and has configure it to be as follows

<IfModule !mod_auth_sspi.c>
    LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>

<Location "file/to/path">
    Options FollowSymLinks
    Order allow,deny
    Allow from all
    AuthName "TestWeb"
    AuthType SSPI 
    SSPIAuth On 
    SSPIAuthoritative On
    SSPIOmitDomain On
    SSPIOfferBasic on
    Require valid-user 
</Location>

However, it gives me the prompt to type in the username and password on IE/Firefox/CHrome which I don't want the prompt to appear. I want it to auto login to mediawiki straight without the prompt. Which step am I doing wrong?

How may I achieve the above? Thanks for all assistance!

Reply 15:42, 10 June 2015 8 years ago
2401:7400:C800:32AC:B49F:9B0F:5103:9928 (talkcontribs)

Can't edit my previous post. I am using Apache Server (V2.2)

Reply 15:43, 10 June 2015 8 years ago
Ciencia Al Poder (talkcontribs)
Reply 20:39, 10 June 2015 8 years ago
2401:7400:C800:32AC:2910:33A9:2BF5:5CD6 (talkcontribs)

Yup, I have. I have already put the require_once ... in my localsetting file :)

thanks for your assistance!

Reply 22:23, 10 June 2015 8 years ago
Anyhowputx (talkcontribs)

To be exact,

I wrote this in my localsetting file but still it is giving me the prompt in all browsers.

require_once "$IP/extensions/Auth_remoteuser/Auth_remoteuser.php";
$wgAuth = new Auth_remoteuser();
Reply 00:06, 11 June 2015 8 years ago
Ciencia Al Poder (talkcontribs)

I think you also set and adapt the settings of the Configuration section listed on the extension's page.

Apparently, instead of

$wgAuthRemoteuserName = $_SERVER["AUTHENTICATE_CN"]; /* User's name */

You need to use

$wgAuthRemoteuserName = $_SERVER["REMOTE_USER"]; /* User's name */
Reply 09:46, 11 June 2015 8 years ago
203.120.42.151 (talkcontribs)

Hi,

Thanks for your assistance.

I've changed as follows

$wgAuthRemoteuserName = isset( $_SERVER["REMOTE_USER"] )
	? $_SERVER["REMOTE_USER"]
	: '';

However it is still giving me the prompt when I tried on Firefox. Any idea if I have to configure something to my browser?

Thanks so much for your help!!!!!!! I really appreciated it.

Reply 10:07, 11 June 2015 8 years ago
58.167.32.21 (talkcontribs)

Firefox does not use Windows' internet settings, so you will have to manually add your sites to the network.automatic-ntlm-auth.trusted-uris config setting. See http://sivel.net/2007/05/firefox-ntlm-sso

Reply 16:51, 11 June 2015 8 years ago
175.156.223.209 (talkcontribs)

Hi,

Thanks for ur response.

So u meant my above configuration is correct? And by configuring my Firefox, The browser will auto login for me without the prompt?? Thanks so much!!

Reply 22:20, 11 June 2015 8 years ago
58.167.32.21 (talkcontribs)

If it is working on IE and Chrome, then yes. It is just Firefox that needs manual configuration due to not using Windows' settings.

Reply 08:34, 12 June 2015 8 years ago
Anyhowputx (talkcontribs)

Hi,

Thanks for your response. All browsers are giving me the prompt to enter my credentials before they logged me in.

I am really very confused now. I have tried configuring Firefox to the one you said. Since I am developing on localhost, should I put http://localhost or localhost ?

And is SSPI the same as NTLM ?

Thanks so much for your response!

Reply 08:40, 12 June 2015 8 years ago
Anyhowputx (talkcontribs)

Oh dear, I think I know why.

Previously, I cannot login even though it keeps prompting me (I think) was because it is trying to go on to (www.example.com) instead of localhost. It will detects the former as an internet so it will denies my entry. Then it will detect the latter as intranet and login me in automatically.

Am I right? Thanks!!

Reply 10:56, 12 June 2015 8 years ago
58.167.32.21 (talkcontribs)

SSPI is the interface to access NTLM, among other security providers.

If the setting doesn't work, try without the protocol. If it still doesn't work, maybe you're using Kerberos authentication, in which case you would use the network.negotiate-auth.trusted-uris instead of network.automatic-ntlm-auth.trusted-uris.

If it is working on localhost on Chrome and IE then there is nothing wrong with your settings (unless you want to have it also work on non-intranet sites, in which case you would need to enable automatic login on trusted sites and add those sites as trusted sites in the internet options, as well as to the manual Firefox setting).

Reply 11:59, 12 June 2015 8 years ago
203.127.197.23 (talkcontribs)

Hi,

Thank You for advising me till now. You saved my life!

I still have a couple more questions to ask. Please advise if it is within your knowledge. Thanks!!!

Currently, my domain will be in the form of (www.companyname.com/wiki/index.php) and is an intranet. Currently, I have to add our site to the intranet zone of IE/Firefox in order to enable the autologin (no prompt).

My question is how will the autologin works when deploy all the live server since the configuration is not made on all the clients computers? I read something about group policy but I am not sure if I am on the right track. Only administration can make changes to the group policy?

Thanks so much once again!

Reply 00:41, 15 June 2015 8 years ago
Ciencia Al Poder (talkcontribs)

Yes, Group Policy changes can only be done by the Domain Controller administrator, and it will make the policy to be replicated to all computers of the domain

Reply 09:23, 15 June 2015 8 years ago
203.127.197.23 (talkcontribs)

Ahhhh. I see.

So now what's left to do is to inform the administrator to use Group Policy to add (www.companyname.com) into the intranet zone of IE/Firefox right before the auto-login can work properly for all users in the company right?

Thank You Ciencia for your great help and being so patient!! :)

Reply 09:55, 15 June 2015 8 years ago
203.127.197.23 (talkcontribs)

Hi,

I would like to ask will this single sign on work on mobile/tablet as well?

Currently, I can see the $_SERVER['REMOTE_USER'] on my desktop using the 3 browsers (IE, Chrome, Firefox)

Also, will it work on apache2handler and cgi/fcgi?

Thanks for your assistance!

Reply 06:18, 21 July 2015 8 years ago
Ciencia Al Poder (talkcontribs)

Your mobile/tablet doesn't ask you a username and password to login when you power it on, so I doubt you would get a REMOTE_USER from those devices.

Reply 09:26, 21 July 2015 8 years ago
138.75.250.73 (talkcontribs)

Thanks for your response

Just want to further clarify my understanding. Correct me if I'm wrong.

So could I say that the auth remoteuser extension allows single sign on only on desktop browsers (IE,Chrome,Firefox) since we have to configure the settings on these browsers before sso is enabled?

And also since like you said, our desktop will prompt for a username and password for us to login (I assume this is the windows credentials you referring to)

Hence if users access the mediawiki site on mobile/tablets, they have to manually login with a mediawiki account and not their windows account like in the desktop

Ultimate thanks for ur assistance!! I really really appreciated your kind help!

Reply 16:58, 21 July 2015 8 years ago
Ciencia Al Poder (talkcontribs)

Correct. Mobile users could log-in with their windows credentials if MediaWiki is correctly using an LDAP authentication extension - assuming that the auth remoteuser extension still allows users to access the login page, something I don't really know.

Reply 20:47, 21 July 2015 8 years ago
203.127.197.23 (talkcontribs)

The steps I took to configure Apache + Mediawiki for SSO is as follow

Download the mod_auth_sspi.so and implement both of these code in my httpd.conf file

<IfModule !mod_auth_sspi.c>
    LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>

<Location "file/to/path">
    Options FollowSymLinks
    Order allow,deny
    Allow from all
    AuthName "TestWeb"
    AuthType SSPI 
    SSPIAuth On 
    SSPIAuthoritative On
    SSPIOmitDomain On
    SSPIOfferBasic on
    Require valid-user 
</Location>

Am I missing out any steps beside configuring the browser? What else must I take note of? Thanks for your response and help!

Reply 00:28, 12 June 2015 8 years ago
Reply to "Auto Login to Mediawiki (Auth remoteuser Extension)"
Retrieved from "https://www.mediawiki.org/wiki/Topic:Siz19d51oiq8t1dg"