NTLM-based Single Sign-On doesn't work - RT continues to present login screen

Hi,

I have a working instance of RT 3.8.7 running under Apache 2.2.3 on RHEL 5.4. The instance has been set up to authenticate users against Active Directory via RT::Authen::ExternalAuth & LDAP. The LDAP authentication works fine (i.e. users log in with their AD credentials, and new users get created in RT when ticket requests come in via e-mail.)

Now I need to implement Single Sign-On, so that the users at MSWin workstation could simply browse to the RT interface without having to type in their username/password again. To do this I’ve followed the instructions outlined at http://blank.org/memory/output/rt-ad-sso.html and at http://wiki.bestpractical.com/view/NtlmAuthentication. I’ve also searched around the RT mailing list archives but couldn’t find anything that described the problem I’m having.

The problem is that RT still presents the login screen when you go to its URL for the first time.

My main questions are:

  •   Can NTLM & RT::Authen::ExternalAuth co-exist?
    
  •   Is there a way to get debugging output from mod_ntlm?
    
  •   Are there any additional pointers or advice regarding single sign-on with RT?
    

Besides this, any input on the issue would be highly appreciated.

P.S. Here what has been done so far, in a nutshell:

  •   Compiled and installed mod_ntlm
    
  •   Installed User_Local.pm and MailFrom_Local.pm from http://www2.usit.uio.no/it/rt/modifications/
    
  •   Installed Web_Local.pm from http://blank.org/memory/work/Web_Local.pm
    
  •   Included this snippet in RT_SiteConfig.pm:
    

Set($WebExternalAuth , ‘1’);
Set($WebFallbackToInternalAuth, ‘1’);
Set($WebExternalGecos , undef);
Set($WebExternalAuto , ‘1’);

Set($LDAPExternalAuth , ‘1’); # Enable LDAP auth
Set($LdapServer , ‘mycompanys.ldap.server.com’);
Set($LdapCAFile , undef);
Set($LdapUser , ‘’);
Set($LdapPass , ‘’);
Set($LdapAuthStartTLS , ‘0’); # Need to use TLS or ldaps to check passwords
Set($LdapAuthBase , ‘dc=my,dc=company,dc=com’);
Set($LdapAuthUidAttr , ‘sAMAccountName’);
Set($LdapAuthFilter , ‘(objectClass=user)’);
Set($LdapMailBase , ‘dc=my,dc=companymail,dc=com’);
Set($LdapMailFilter , ‘(objectClass=user)’);
Set($LdapMailScope , ‘sub’);
Set($LdapMailSearchAttr, ‘mail’);
%RT::LdapMailResultMap = (
‘sAMAccountName’ => ‘Name’,
‘mail’ => ‘EmailAddress’,
‘cn’ => ‘RealName’,
);

  •   Included this in httpd.conf RT's virtual server section:
    

    PerlModule Apache2::compat
    PerlModule Apache::DBI

    PerlRequire /opt/rt3/bin/webmux.pl

    <Directory /opt/rt3/share/html>
    Order allow,deny
    Allow from all

     SetHandler perl-script
     PerlResponseHandler RT::Mason
    
     AuthName "Request Tracker"
     AuthType NTLM
     NTLMAuth on
     NTLMAuthoritative on
     NTLMDomain MYCOMPANYS_AD_DOMAIN
     NTLMServer my_companys_dc1
     NTLMBackup my_companys_dc2
    
  •   Restarted Apache
    
  •   Added our RT URL to IE's "trusted sites" list
    

Again, thanks in advance,
Sergey

Sergey Gladkovich | UNIX Systems Engineer | (w) 201-743 -4293 | (m) 646-291-7123
Arch Insurance Group Inc.
300 - Plaza Three - 3rd Floor
Jersey City NJ 07311
Tel: 201-743-4000, Fax: 201-743-4005

The information contained in this e-mail message may be privileged and confidential information and is intended only for the use of the individual and/or entity identified in the alias address of this message. If the reader of this message is not the intended recipient, or an employee or agent responsible to deliver it to the intended recipient, you are hereby requested not to distribute or copy this communication. If you have received this communication in error, please notify us immediately by telephone or return e-mail and delete the original message from your system.

Hi,

I have a working instance of RT 3.8.7 running under Apache 2.2.3 on RHEL
5.4. The instance has been set up to authenticate users against Active
Directory via RT::Authen::ExternalAuth & LDAP. The LDAP authentication
works fine (i.e. users log in with their AD credentials, and new users get
created in RT when ticket requests come in via e-mail.)

Now I need to implement Single Sign-On, so that the users at MSWin
workstation could simply browse to the RT interface without having to type
in their username/password again. To do this I’ve followed the instructions
outlined at http://blank.org/memory/output/rt-ad-sso.html and at
http://wiki.bestpractical.com/view/NtlmAuthentication. I’ve also searched
around the RT mailing list archives but couldn’t find anything that
described the problem I’m having.

The problem is that RT still presents the login screen when you go to its
URL for the first time.

My main questions are:

Can NTLM & RT::Authen::ExternalAuth co-exist?

No, in terms of auth. As you use mod_ntlm and digest/basic HTTP auth,
so in RT you should enable WebExternalAuth to avoid login screen and
enable “trust apache auth”. ExternalAuth extension also fetches info
from LDAP about users and put it into RT’s DB. I’m not sure if this
extension still can do info fetching with WebExternalAuth enabled.

Is there a way to get debugging output from mod_ntlm?

Read mod_ntlm docs.

Are there any additional pointers or advice regarding single sign-on with
RT?

In most cases single sign-on solutions are implemented as mod_xxxx for
apache, so apache does auth and pass username in environment variable
into RT. WebExternalAuth is the option to tell RT to trust the
environment.

Besides this, any input on the issue would be highly appreciated.

P.S. Here what has been done so far, in a nutshell:

Best regards, Ruslan.