Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-20867

NTLM authentication : permit authentication from firefox even if ie fast path is enabled

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Trivial
    • Resolution: Fixed
    • Affects Version/s: 1.9, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 2.4.1
    • Fix Version/s: 2.6
    • Component/s: Authentication
    • Testing Instructions:
      Hide

      Requires a site using LDAP authentication and NTLM SSO configured.
      Also requires FF set up to allow NTLM auth - I think it's enabled by default now but if not see: http://sivel.net/2007/05/firefox-ntlm-sso/

      there are 2 ways to "attempt" NTLM - the first way does a fast pass to the ntlm auth page, the 2nd way runs an "attempt" to see if the browser supports NTLM and if it doesn't it will redirect to a form.
      for the purposes of the below instructions:
      "attempt" represents the "attempting NTLM page" that appears breifly when logging in and testing for NTLM.
      "fastpath" represents the fast NTLM login that doesn't display the "attempting NTLM page" - this method only works in IE and assumes that ALL IE browsers in the configured subnet range allow NTLM and are part of the domain.
      "direct to form login" - this method shows the standard Moodle login page and doesn't go through the "attempting NTLM page"

      set Fastpath to "Yes, all other browsers use standard login form"

      • Login with IE on a machine in the domain to check fastpath NTLM works.
      • Login with FF on a machine in the domain to check passed direct to form login
      • Login with some other browsers on a machine in the domain to check passed direct to form login.

      Set fastpath to "Yes, attempt NTLM other browsers"

      • Open IE on a machine in the domain to check fastpath NTLM works.
      • Open FF on a machine in the domain to check NTLM works.
      • Open other browsers on a machine in the domain to make sure redirected to forms based auth.

      Set fastpath to "Attempt NTLM with all browsers"

      • Open IE on a machine in the domain to check NTLM works.
      • Open FF on a machine in the domain to check passed to attempting NTLM page and SSO works.
      • Open other browsers on a machine in the domain to check passed to attempting NTLM page and fails so passed to standard forms login.
      Show
      Requires a site using LDAP authentication and NTLM SSO configured. Also requires FF set up to allow NTLM auth - I think it's enabled by default now but if not see: http://sivel.net/2007/05/firefox-ntlm-sso/ there are 2 ways to "attempt" NTLM - the first way does a fast pass to the ntlm auth page, the 2nd way runs an "attempt" to see if the browser supports NTLM and if it doesn't it will redirect to a form. for the purposes of the below instructions: "attempt" represents the "attempting NTLM page" that appears breifly when logging in and testing for NTLM. "fastpath" represents the fast NTLM login that doesn't display the "attempting NTLM page" - this method only works in IE and assumes that ALL IE browsers in the configured subnet range allow NTLM and are part of the domain. "direct to form login" - this method shows the standard Moodle login page and doesn't go through the "attempting NTLM page" set Fastpath to "Yes, all other browsers use standard login form" Login with IE on a machine in the domain to check fastpath NTLM works. Login with FF on a machine in the domain to check passed direct to form login Login with some other browsers on a machine in the domain to check passed direct to form login. Set fastpath to "Yes, attempt NTLM other browsers" Open IE on a machine in the domain to check fastpath NTLM works. Open FF on a machine in the domain to check NTLM works. Open other browsers on a machine in the domain to make sure redirected to forms based auth. Set fastpath to "Attempt NTLM with all browsers" Open IE on a machine in the domain to check NTLM works. Open FF on a machine in the domain to check passed to attempting NTLM page and SSO works. Open other browsers on a machine in the domain to check passed to attempting NTLM page and fails so passed to standard forms login.
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_19_STABLE, MOODLE_24_STABLE
    • Fixed Branches:
      MOODLE_26_STABLE
    • Pull Master Branch:
      master_MDL-20867

      Description

      LDAP Auth plug-in -> auth.php -> function loginpage_hook() :

      actual code in ntlm sso branche :
      // Now start the whole NTLM machinery.
      if(!empty($this->config->ntlmsso_ie_fastpath)) {
      // Shortcut for IE browsers: skip the attempt page at all
      if(check_browser_version('MSIE'))

      { $sesskey = sesskey(); redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_magic.php?sesskey='.$sesskey); } else { redirect($CFG->httpswwwroot.'/login/index.php?authldap_skipntlmsso=1'); }
      } else { redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_attempt.php'); }

      If IE fast path is enabled, we lose the ability to connect to moodle by sso from firefox or other browsers that supports it. Is there a reason to ?
      If IE fast path is enabled and the active browser is not IE, we can force the configuration ntlmsso_ie_fastpath flag to false and then not skip ntlm sso.

      Here is a piece of code of what it can be :

      // Now start the whole NTLM machinery.
      if(!empty($this->config->ntlmsso_ie_fastpath)) {
      // Shortcut for IE browsers: skip the attempt page at all
      if(check_browser_version('MSIE')) { $sesskey = sesskey(); redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_magic.php?sesskey='.$sesskey); }

      else

      { $this->config->ntlmsso_ie_fastpath = 0; redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_attempt.php'); }

      } else

      { redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_attempt.php'); }

      Then if the active browser don't support ntlm sso, the authentication process go on the normal way.

      What do you think about ?

        Attachments

          Activity

            People

            • Votes:
              4 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                18/Nov/13