Moodle SSO - tearing my hair out!

[jgcracknell]

Setup IIS 7.5 MSSQL Server 2008r2 and Windows Server 2008r2 PHP 5.3.5

Moodle v2 - Setup LDAP without issue and authentication is working. Setup NTLM SSO as per instructions and done the tinkering as per the instructions as well for IIS 7.5

I just can't get SSO to work - It tries to authenticate using SSO according to the IIS logs but it says that the user is unknown! If I just use Windows Authentication on a normal HTML page on the same website then it works! Yet for SSO failure!

I am now stuck on what the issue could be...PHP? AD? - does the IIS user have to be in certain usergroups? It just doesn't want to play ball.

[siuko]

Do the logs show what username it is seeing?

I know when I was trying to get sso and moodle working on ubuntu I had to edit a file to read the username differently.

As an example... the computers where authenticating with domain\username and I had to get it to strip the domain\ from the authentication (or it was the other way round...)

If you can check the logs for this info it might show which its picking up... domain\username or username

[jgcracknell]

Hi

I've tried altering auth.php and have had no luck.

It seems Firefox is pulling back sck (my userid) but everything else is not working. Even firefox doesn't work when I use just userid or domain\userid

J.

logs from IIS

2011-04-14 16:57:15 10.103.130.3 GET / - 80 sck 10.103.130.3 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:2.0)+Gecko/20100101+Firefox/4.0 303 0 0 96
2011-04-14 16:57:15 10.103.130.3 GET /login/index.php - 80 sck 10.103.130.3 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:2.0)+Gecko/20100101+Firefox/4.0 303 0 0 98
2011-04-14 16:57:15 10.103.130.3 GET /auth/ldap/ntlmsso_attempt.php - 80 sck 10.103.130.3 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:2.0)+Gecko/20100101+Firefox/4.0 200 0 0 158
2011-04-14 16:57:15 10.103.130.3 GET /auth/ldap/ntlmsso_magic.php sesskey=ZUmEqDV1Ix 80 - 10.103.130.3 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:2.0)+Gecko/20100101+Firefox/4.0 401 2 5 1
2011-04-14 16:57:15 10.103.130.3 GET /auth/ldap/ntlmsso_magic.php sesskey=ZUmEqDV1Ix 80 - 10.103.130.3 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:2.0)+Gecko/20100101+Firefox/4.0 401 2 5 1
2011-04-14 16:57:19 10.103.130.3 GET /auth/ldap/ntlmsso_finish.php - 80 sck 10.103.130.3 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:2.0)+Gecko/20100101+Firefox/4.0 200 0 0 151


011-04-14 17:06:43 10.103.130.3 GET / - 80 - 10.103.130.3 WWW-Mechanize/1.0.0+(RubyForge: WWW::Mechanize: Project Info) 200 0 0 1945
2011-04-14 17:06:49 10.103.130.3 GET / - 80 - 10.103.130.3 WWW-Mechanize/1.0.0+(RubyForge: WWW::Mechanize: Project Info) 303 0 0 2563
2011-04-14 17:06:49 10.103.130.3 GET /login/index.php - 80 - 10.103.130.3 WWW-Mechanize/1.0.0+(RubyForge: WWW::Mechanize: Project Info) 303 0 0 307
2011-04-14 17:06:49 10.103.130.3 GET /auth/ldap/ntlmsso_attempt.php - 80 - 10.103.130.3 WWW-Mechanize/1.0.0+(RubyForge: WWW::Mechanize: Project Info) 200 0 0 225

These look odd....

It looks like NTLM is either not returning the userid or stripping out everything.....

[InterwebsGuy]

I take it you have NTLM enabled in Firefox? If I remember correctly, once upon a time you had to enable it in about:config. Having said that I haven't attempted NTLM in an app in a long time.

[Cools]

only ever got sso to work with IE..
and that was with IIS and on Nix ..

[jgcracknell]

I am getting IIS with a 401.1 error and no sign of authentication in the IIS logs - just tried it on a new website tonight on the same server. So something is being denied somewhere. Even put myself into the local domain policy so I can log on locally......running out of ideas.....

[anatai]

If you're using Firefox with NTLM you have to specify the URI of your Moodle. There's a step-by-step guide here: sivel.net/2007/05/firefox-ntlm-sso - it's still applicable for Firefox 4. It works perfectly for SSO in our school. This might not solve the problem you're having but is definitely something to check!