NTLM/Integrated authentication?

[nutso]

Hi,

I've been evaluating HAP to see how well it would work for us and it looks pretty neat I've had a quick look but couldn't find any mention of being able to use IIS's Integrated Authentication. Is it possible to authenticate to HAP using that instead of the form somehow? The reason is that we're using a Microsoft TMG reverse proxy setup for access to various things on the network, and it would be nice to not need to log in more than once.

Thanks

[nickbro]

Previous Versions of HAP+ supported Basic Authentication (v6 and below) but v7 only supports using forms authentication. I am going to be looking at releasing another HAP.AD dll which will support Basic/NTLM auth in v8

[nutso]

Awesome, thanks!

[TheScarfedOne]

Previous Versions of HAP+ supported Basic Authentication (v6 and below) but v7 only supports using forms authentication. I am going to be looking at releasing another HAP.AD dll which will support Basic/NTLM auth in v8

+1 as a feature request for that for me too!

[nickbro]

Right, I think I've managed to get something in HAP+ now so it will support Basic Authentication again, needs to be basic for impersonation to work, if you are not using the my files sections you can use NTLM.

How does this sound?

This setting will be enabled by tweaking the web.config file and adding an extra line to hapConfig.xml.

This setting will not be configurable via the config page!

Set the AuthMode="Windows" of the AD attribute in the hapConfig.xml file will tell HAP+ to switch it's internals for Windows Authentication instead of Forms.

I'll hopefully get a test setup for this tomorrow to see if it works at all, and see what web.config exceptions I'll need to add in to make it work.

[CHiLL]

I've changed AuthMode="Forms" to AuthMode="Windows" in web.config.xml, but I get "Access is Denied".

What do I have to add into hap.config.xml?

[nickbro]

@CHiLL, this isn't released yet, it's a v7.8 task, I've got a lot of web.config changes to make to get this working

[CHiLL]

Ok.

[nutso]

It's a shame about the My Files not working because that's one of the best features, but I think TMG supports basic authentication so it might not be an issue for us. Only one way to find out Thanks for your work on this!

[nickbro]

Good news everybody! NTLM & Basic Authentication Models will be supported in v7.7 due for release during the weekend

Note: NTLM does not support Impersonation correctly, and wont give correct information for the My Files section.

The settings are just as detailed above, I've managed to get it working without editing the web.config file (except via IIS).

Steps to enable Windows Authentication:

1. Remote onto your Server
2. Load IIS Manager
3. Select the Application
4. Under Authentication, disable Forms Authentication and enable Windows/Basic (For Basic also put the default domain/default realm info in), leave anonymous auth on though
5. Open ~/app_data/hapConfig.xml in notepad
6. Add AuthMode="Windows" to the <AD> node

If you are using IIS6, you will need to edit the web.config file:

Replace mode="Forms" with mode="Windows" on line 24:

HTML Code:

 <authentication mode="Forms">
   <forms loginUrl="~/login.aspx" defaultUrl="~/" />
  </authentication>

to

HTML Code:

 <authentication mode="Windows">
   <forms loginUrl="~/login.aspx" defaultUrl="~/" />
  </authentication>

[TheScarfedOne]

Great news Nick. This is what I like to see. Any idea why the DLLs do not like reading my AD structure? Will the change in auth methods here maybe make a difference? Im able to do some testing for you if you need. Running 7.x side by side with the original 6.5 version....

[nickbro]

Nope none, only thing I can suggest is trying one of the latest DLL's that I've posted here: Basic Help Needed! and checking the HAP+ Event Viewer Log file

[CHiLL]

Code:

<AD>
    <OUs>
    </OUs>
    <AuthMode="Windows" />
  </AD>

Is it supposed to look like that in hapconfig.xml?

And then in Authentication in IIS, it should appear as:

Code:

Anonymous: Enabled
ASP.NET Impersonation: Disabled
Basic Authentication: Disabled
Digest Authentication: Disabled
Forms Authentication: Disabled
Windows Authentication: Enabled

And that should allow a user to be automatically logged in, without having to enter credentials, providing they're logged onto a computer with valid AD credentials?

That setup isn't working for me.

[nickbro]

Steps to enable Windows Authentication:

1. Remote onto your Server
2. Load IIS Manager
3. Select the Application
4. Under Authentication, disable Forms Authentication and enable Windows/Basic (For Basic also put the default domain/default realm info in), leave anonymous auth on though
5. Open ~/app_data/hapConfig.xml in notepad
6. Add AuthMode="Windows" to the <AD> node

This should now read:

HTML Code:

...  
<AD username="administrator" password="" upn="" studentsgroup="" AuthMode="Windows">
...

[CHiLL]

Right, I saw that, but didn't know exactly where to put it in that node.

That's working now, thanks.

I'm now downplaying this booking system for now, as it doesn't need to be implemented live until August 2012 for the next academic year.