windows 在 mod_auth_sspi_1.0.4-2.2.2 中禁用登录提示
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8394148/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Disable Login Prompts in mod_auth_sspi_1.0.4-2.2.2
提问by Kris Craig
What I'm trying to do:
我正在尝试做的事情:
Create a home page on our company's intranet that automatically grabs the logged-in Windows username of the person viewing the page withoutthe person being prompted to enter these credentials when the page loads.
Currently, I just want it to grab the local username, since it'll be awhile before our IT guys get a domain setup. For example, right now I'd want it to capture the "(PC-Name)\windows.user.name" without any prompts.
在我们公司的 Intranet 上创建一个主页,该主页会自动获取查看该页面的人的登录 Windows 用户名,而不会在页面加载时提示该人输入这些凭据。
目前,我只希望它获取本地用户名,因为在我们的 IT 人员获得域设置之前还需要一段时间。例如,现在我希望它在没有任何提示的情况下捕获“(PC-Name)\windows.user.name”。
Environment:
环境:
Apache 2.2.21 on Windows 7 x64 (will be on CentOS once it's in production).
PHP 5.3.8 (VC9-ZTS).
Internet Explorer 9.0.8x and Firefox 6.0.2 (will worry about Chrome later).
Current test page is just a PHP script calling print_r( $_SERVER ).
To keep things simple, the directory I'm testing this on is not a VirtualHost.
Windows 7 x64 上的 Apache 2.2.21(一旦投入生产,将在 CentOS 上)。
PHP 5.3.8 (VC9-ZTS)。
Internet Explorer 9.0.8x 和 Firefox 6.0.2(稍后会担心 Chrome)。
当前的测试页只是一个调用 print_r( $_SERVER ) 的 PHP 脚本。
为简单起见,我正在测试的目录不是 VirtualHost。
Steps I've taken thus far:
到目前为止我采取的步骤:
Downloaded mod_sspi_1.0.4-2.2.2 from SourceForge and extracted mod_auth_sspi.so to the Apache modules directory.
Added the module declaration:
LoadModule sspi_auth_module modules/mod_auth_sspi.so
Added the directory definition:
AllowOverride None Options None Order allow,deny Allow from all
AuthName "My Intranet" AuthType SSPI SSPIAuth On SSPIAuthoritative Off require valid-userEnabled Integrated Authentication in Firefox by going to about:config and setting network.automatic-ntlm-auth.trusted-uris to the absolute URL path of the PHP script then restarted Firefox.
I haven't done the equivalent step in IE yet but I will once I get Firefox working as that's our primary supported browser internally.
Restarted Apache and attempted to load the test PHP script.
从 SourceForge 下载 mod_sspi_1.0.4-2.2.2 并将 mod_auth_sspi.so 解压到 Apache 模块目录。
添加了模块声明:
LoadModule sspi_auth_module modules/mod_auth_sspi.so
添加目录定义:
AllowOverride None 选项 None Order allow,deny Allow from all
AuthName "My Intranet" AuthType SSPI SSPIAuth On SSPIAuthoritative Off require valid-user通过转到 about:config 并将 network.automatic-ntlm-auth.trusted-uris 设置为 PHP 脚本的绝对 URL 路径,在 Firefox 中启用集成身份验证,然后重新启动 Firefox。
我还没有在 IE 中完成相同的步骤,但是一旦我让 Firefox 工作,我就会这样做,因为这是我们内部支持的主要浏览器。
重新启动 Apache 并尝试加载测试 PHP 脚本。
The result:
结果:
- In both IE and Firefox, I get prompted for a username and password before the page loads. I don't want that prompt. I want the username to be detected automatically without a prompt.
- 在 IE 和 Firefox 中,我会在页面加载之前提示输入用户名和密码。我不想要那个提示。我希望在没有提示的情况下自动检测用户名。
Troubleshooting thus far:
到目前为止的故障排除:
I've tried cycling through the various SSPI options, such as authritative on/off and whatnot. No effect.
Prompt no longer appears if I remove "require valid-user", but then the username is not passed, either (it isn't NULL; simply not set in the array period).
If I hit "Cancel" on the prompt, I get the standard "Authentication Required" page.
If I enter an invalid username, or the correct username but with the wrong password, the page will load but the username will be "(PC-Name)\Guest".
If I enter the correct username/password, then the username is displayed instead of Guest.
Once I enter a username/password in IE or Firefox, the browser remembers that username on subsequent page loads until I clear the stored passwords cache or restart the browser.
I've spent the last 3 or so hours Googling and random guessing. Zero success. I've found a few isolated forum posts of people asking this question, but either they went unanswered or offered solutions that I've already tried without success.
我试过循环使用各种 SSPI 选项,例如授权开/关等等。没有效果。
如果我删除“需要有效用户”,则不再出现提示,但随后也不会传递用户名(它不是 NULL;只是未在数组期间设置)。
如果我在提示中点击“取消”,我会看到标准的“需要身份验证”页面。
如果我输入了无效的用户名,或者输入了正确的用户名但密码错误,页面将加载但用户名将是“(PC-Name)\Guest”。
如果我输入正确的用户名/密码,则会显示用户名而不是 Guest。
一旦我在 IE 或 Firefox 中输入用户名/密码,浏览器就会记住后续页面加载的用户名,直到我清除存储的密码缓存或重新启动浏览器。
我花了大约 3 个小时在谷歌上搜索和随机猜测。零成功。我发现了一些孤立的论坛帖子,有人问这个问题,但要么没有得到答复,要么提供了我已经尝试过但没有成功的解决方案。
Again, what I want is for the page to load, WITHOUT any prompting, and display the currently logged-on Windows username in the $_SERVER array output.
同样,我想要的是在没有任何提示的情况下加载页面,并在 $_SERVER 数组输出中显示当前登录的 Windows 用户名。
As far as I can fathom, this is either: A Windows configuration issue, an Apache configuration issue, or a browser configuration issue. Other than that, I'm fresh out of ideas.
据我所知,这可能是:Windows 配置问题、Apache 配置问题或浏览器配置问题。除此之外,我的想法很新鲜。
I would be very grateful for any help you can offer. Thanks!
如果您能提供任何帮助,我将不胜感激。谢谢!
--Kris
——克里斯
采纳答案by Kris Craig
Took a couple days, but I eventually figured it out on my own. Apparently, the various documents and tutorials out there describing the Firefox about:config setting are wrong. They claim that the full URI, including protocol prefix, must be included. As it turns out, the exact opposite is true.
花了几天时间,但我最终自己弄明白了。显然,描述 Firefox about:config 设置的各种文档和教程是错误的。他们声称必须包含完整的 URI,包括协议前缀。事实证明,情况恰恰相反。
As a random shot in the dark, I tried setting it to just "localhost" (the domain the test server's running on). And voila! That fixed it! "http://localhost", on the other hand, caused it to break.
作为在黑暗中的随机镜头,我尝试将其设置为“localhost”(运行测试服务器的域)。瞧!那就修好了!另一方面,“http://localhost”导致它中断。
Once I got it working in Firefox, having verified that the server-side configuration was correct, applying it to IE and Chrome was a cinch. For IE, I just added "http://localhost" (in this case, you do want the protocol prefix) to the "Intranet" zone. And since Chrome makes use of the same network settings that IE uses, that step got it working for both browsers.
一旦我在 Firefox 中使用它,在验证服务器端配置正确后,将它应用到 IE 和 Chrome 是轻而易举的。对于 IE,我只是将“http://localhost”(在本例中,您确实需要协议前缀)添加到“Intranet”区域。由于 Chrome 使用与 IE 相同的网络设置,因此该步骤使其适用于两种浏览器。
As far as server-side config goes, it looks like I had that right from the beginning. I was able to simplify it a bit, though, so really all you need in the directory block is this:
就服务器端配置而言,看起来我从一开始就是正确的。不过,我能够稍微简化它,所以在目录块中你真正需要的是:
AuthName "Whatever you want to call your intranet"
AuthType SSPI
SSPIAuth On
require valid-user
With this setup, if you point to a PHP script doing a print_r( $_SERVER ), the output will contain something like this:
使用此设置,如果您指向执行 print_r( $_SERVER ) 的 PHP 脚本,输出将包含如下内容:
[REMOTE_USER] => dev-kdc-pc01\kris.craig
[AUTH_TYPE] => NTLM
[PHP_AUTH_USER] => dev-kdc-pc01\kris.craig
If you want to get rid of the domain part (i.e. the "dev-kdc-pc01\"), you can either parse it out in PHP or add this line to your SSPI stuff in the directory block in httpd.conf mentioned above:
如果您想摆脱域部分(即“dev-kdc-pc01\”),您可以在 PHP 中解析它或将此行添加到上述 httpd.conf 目录块中的 SSPI 内容中:
SSPIOmitDomain On
Please note that I've only tested this on a Windows system where the Apache webserver was running on localhost. I have not yet tested it in a situation where the Apache server is running on Linux, though that shouldn't have any impact on the results since the server is just accepting whatever the browser sends it. This also requires that the client be running Windows or some other SSPI-compatible environment. I haven't yet determined how to make this work for our Mac-using employees.
请注意,我仅在 Apache 网络服务器在本地主机上运行的 Windows 系统上对此进行了测试。我还没有在 Apache 服务器在 Linux 上运行的情况下对其进行测试,但这应该不会对结果产生任何影响,因为服务器只是接受浏览器发送的任何内容。这还要求客户端运行 Windows 或其他一些与 SSPI 兼容的环境。我还没有确定如何为我们使用 Mac 的员工提供这项服务。
Also note that I've successfully tested this on a network that does notcurrently have a domain configured. According to articles published elsewhere, the behavior should be identical on a workstation that is a member of a domain.
另请注意,我已在当前未配置域的网络上成功测试了这一点。根据其他地方发表的文章,作为域成员的工作站上的行为应该是相同的。
I hope this helps! Thanks!
我希望这有帮助!谢谢!
回答by ehime
This might be a partial answer.
这可能是部分答案。
BOOL WINAPI GetUserName(
__out LPTSTR lpBuffer,
__inout LPDWORD lpnSize
);
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724432%28v=vs.85%29.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724432%28v=vs.85%29.aspx
It looks like you can fetch system information using this, the other half might be automating it using PERL or Python to scrape the information, then post it to PHP.
看起来您可以使用它获取系统信息,另一半可能会使用 PERL 或 Python 自动抓取信息,然后将其发布到 PHP。
Here's the outline on fetching SysInfo in Windows.
这是在 Windows 中获取 SysInfo 的概述。
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724426%28v=vs.85%29.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724426%28v=vs.85%29.aspx
Honestly this is a pretty easy thing to do with PECL/PAM if you are using Linux.
老实说,如果您使用的是 Linux,这对于 PECL/PAM 来说是一件非常容易的事情。
