-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Checking Windows machines domain membership #9
Comments
So, if I understand this correct, you want to suppress the sending of the HTTP/401 response if the client is not a member of your Active Directory domain? |
My main concern with this patch is that 1) we shouldn't allow our IdP's to perform a
This also scares the shit out of me, but who am I 🤣 You shouldn't be mixing trusted and untrusted devices on the same network if you ask me. While I appreciate your contribution, I am a bit reluctant to merge this.. There must be a better/smarter way to get to the same result |
If they're a Windows machine. That stops IE getting the NTLM pop ups appearing. Doesn't matter about non-Windows machines as they don't try to do NTLM.
Jon
…________________________________________
From: Tim van Dijen ***@***.***>
Sent: 05 February 2024 17:01
To: simplesamlphp/simplesamlphp-module-negotiate
Cc: Jon Knight; Author
Subject: Re: [simplesamlphp/simplesamlphp-module-negotiate] Checking Windows machines domain membership (Issue #9)
** THIS MESSAGE ORIGINATED OUTSIDE LOUGHBOROUGH UNIVERSITY **
** Be wary of links or attachments, especially if the email is unsolicited or you don't recognise the sender's email address. **
So, if I understand this correct, you want to suppress the sending of the HTTP/401 response if the client is not a member of your Active Directory domain?
—
Reply to this email directly, view it on GitHub<#9 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AD6PBYM2S2PDTQY6LNHZO3TYSEF5XAVCNFSM6AAAAABC2MNSSWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRXGQ4DAOJWHA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Hi Jon! I just came across this issue again.. Do you have any control over the various machines that visit your network? Windows machines will only try NTLM (and show the popup) if the site that your IdP is hosted on is in the 'trusted intranet-sites' zone.. Isn't that something you can work with? Any machine that doesn't have the IdP in the trusted zone will automatically go to the fallback authentication source. In normal circumstances this would do NTLM auth for your organizationally owned devices and use the fallback for BYOD-devices? |
Unfortunately we only control the IdP, not the Windows client machines. :-(
Jon
…________________________________________
From: Tim van Dijen ***@***.***>
Sent: 01 May 2024 20:49
To: simplesamlphp/simplesamlphp-module-negotiate
Cc: Jon Knight; Author
Subject: Re: [simplesamlphp/simplesamlphp-module-negotiate] Checking Windows machines domain membership (Issue #9)
** THIS MESSAGE ORIGINATED OUTSIDE LOUGHBOROUGH UNIVERSITY **
** Be wary of links or attachments, especially if the email is unsolicited or you don't recognise the sender's email address. **
Hi Jon! I just came across this issue again.. You have any control over the various machines that visit your network? Windows machines will only try NTLM (and show the popup) if the site that your IdP is hosted on is in the 'trusted intranet-sites' zone.. Isn't that something you can work with?
Any machine that doesn't have the IdP in the trusted zone will automatically go to the fallback authentication source.
—
Reply to this email directly, view it on GitHub<#9 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AD6PBYJPZTAJ4STFXPLRSATZAFBMXAVCNFSM6AAAAABC2MNSSWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOBZGAYDMNRSGM>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Would it work if you did |
One other solution I'm thinking about is to leverage the LDAP-module and query the domain controller to find a computer-object where |
I noticed in the documentation mention of the issue with Windows machines popping up NTLM authentication boxes, which rather negates the point of the Negotiate module. We hit this some years ago with earlier version of simpleSAMLphp, and we couldn't just limit it by subnet as our users use a mix of organisationally owned domain bound machines and their own devices when on site.
I wrote a little work round that uses an extra, optional string in the negotiate module configuration in authsources.php called
checkDomain
. This is the AD domain name that the machine should be in. I then added an extra routine to thesrc/Auth/Source/Negotiate.php
code to check this, with a call just after the subnet mask checks. It uses/usr/bin/nmblookup
to search for the Windows machine, and ignores browsers that don't include "Windows NT" in their user agent string (so Linux boxes, Macs, etc).In case it is of use, here's a diff of the changes against a recent version of the negotiate module:
We've been using this in production on SSP 1.x IdP servers for many years now, and I've just ported it ready for use to move to SSP 2.x.
The text was updated successfully, but these errors were encountered: