16 Replies Latest reply on Jun 30, 2009 9:40 AM by JR "Bob" Dobbs-qSBHQ2

    NTLM Authentication

    MacWiz1220

      Hello. How do I get ColdFusion 8 to use an Active Directory in Server 2003/8 (NTLM) to authenticate users? I want users to login to the site using their domain information. The server runs Apache... Do I need IIS?

       

      Thanks!

        • 1. Re: NTLM Authentication
          ilssac Level 5

          IIS is the normal web server to use 'windows integrated security'.  I have seen NTML modules for Apache, but I have never used one.

          1 person found this helpful
          • 2. Re: NTLM Authentication
            MacWiz1220 Level 1

            OK. So if I reconfigure the web server to use IIS, how do I setup CF8 to use the AD for authentication? The AD is on a separate machine, but same network.... Do you have an example?

             

            Thanks a lot!

            • 3. Re: NTLM Authentication
              ilssac Level 5

              ColdFusion has little knowledge or care of the Active Directory server.

               

              This is all handled by the web server.  Once you have IIS set up using Windows Inegrated Security.  It takes care of all the work.  Populates the cgi.AUTH_USER variable and passess everything to ColdFusion.  So the minimal CFML code is simple this.

               

              <cfoutput>

              #cgi.AUTH_USER#

              </cfoutput>

               

              <cfif listLast(cgi.AUTH_USER,'\') EQ "iskinner">

                 YOU ARE IAN SKINNER YOU CAN'T SEE THIS PAGE

                 <cfabort>

              </cfif>

               

              If you want to use more information from the active directory data store the <CFLDAP...> tag is the natural extension of this funtionality.  The documentation has plenty of information on how to configure and use it.  With this tag, you can get user groups, check their password, find full name, phone numbers and whatever else you may be stroring in your Active Directory tree.

              • 4. Re: NTLM Authentication
                MacWiz1220 Level 1

                Thank you! I will try this out once I configure IIS.

                 

                Once I have the user logged in, I can set access via <cfif> tags based on username/groups from <cfldap>, right?

                • 5. Re: NTLM Authentication
                  ilssac Level 5

                  You don't need <cfldap> for the username that will already be provided by the web server.

                   

                  But for groups or other data associated with that user account in Active Directory, yes you would use <cfldap....> which will return a record set of the specified data that you can then use in other decision and|or looping logic.

                  • 6. Re: NTLM Authentication
                    MacWiz1220 Level 1

                    OK. Thanks... But how do I actually login with a username and password? I have a simple login for with the input boxes I need, but how do I get that to authenticate into the AD and start a session?

                    • 7. Re: NTLM Authentication
                      ilssac Level 5

                      If you use windows integrated security in IIS then you do not need the form.  The webserver and the browser takes care of all of this themseleves.  With an IE browser on a windows client it will happen automatiacly.  With other browsers, such as FireFox, they will usually display a dialog box to the user.  Some browsers do not support NTLM.

                       

                      If you want to use your form, you do not need the windows integrated security or NTLM.  You would just collect the username and password and pass those to the <cfldap...> tag.  If the correctly configured <cfldap...> tag returns a record set then the user name and password are correct, if it does not, then they are not correct.

                       

                      <cfldap action="query"
                              server="{ActiveDirectoryServer}"
                              name="returnQry"
                              start="OU=HQ Users,OU=DPR Users,DC=inside,DC=cdpr,DC=ca,DC=gov"
                              filter="{filterString}"
                              username="{domain}\{username}"
                              password="{password}"
                              attributes = "{attributes}">
                      
                      <cfdump var="#returnQry#">
                      1 person found this helpful
                      • 8. Re: NTLM Authentication
                        MacWiz1220 Level 1

                        OK. So I guess I will use LDAP than to login with a form, as I want a login page, not a dialog box. Do I still need IIS, or will Apache work?

                         

                        Attached is what I have so far.... How do I get that to actually login though? I'm not sure how to connect my login page to <cfldap> and work from there...

                         

                        Thanks so much!

                        • 9. Re: NTLM Authentication
                          ilssac Level 5

                          Yeah, if you are not using IIS's Windows Integrated Security, then you probably do not need IIS.

                           

                          Just be aware of the pitfalls of using a plain text form for security.  I.E. there is encrtypion at the tcp/ip level those user names and passwords are going to be transfered accross the network in plain text.  You will probably need to combine your login form with some SSL configuration on your web server.

                          • 10. Re: NTLM Authentication
                            MacWiz1220 Level 1

                            I was planning on using HTTPS with LDAP/S. I just need to figure out how to get that login for to use LDAP to authenticate... How would that be done? I'm not sure what code goes where...

                            • 11. Re: NTLM Authentication
                              ilssac Level 5

                              The parameters of the <cfldap..> tag are strings.

                               

                              That can be hand coded string literal constants or they can be variables that contain strings.

                               

                              Such as form scope variables.

                               

                              It is a pretty straight forward process from there once you know the proper connection information for you Active Directory server.

                              • 12. Re: NTLM Authentication
                                MacWiz1220 Level 1

                                The <cfldap> tag isn't where I have the issue. I know how to get the information with the query.... but how do I combine <cfldap> with my login page to create an authentication mechanism? That is where I am stuck...

                                 

                                Thanks. :-)

                                • 13. Re: NTLM Authentication
                                  ilssac Level 5

                                  I can not go much father with out me, or some other contractor, comming to your site and writing your code for you after interviewing your network adminstrator of the correct data.  The usual rate for that type of work is $100 US/hour plus travel expenses and up.

                                   

                                  <cfldap action="query"
                                          server="{name or IP of AD server}"
                                          name="returnQry"
                                          start="{starting branches of LDAP tree to search}"
                                          filter="{filterString}"
                                          username="{domain}\#FORM.USERNAME#"
                                          password="#FORM.PASSWORD#"
                                          attributes = "{attributes}">

                                  <cfif returnQry.recordCount GTE 1>
                                    <!---- user has been authenticated against the active directory do something about it. --->
                                  <cfelse>
                                    <!--- user has failed to authenticate against the active directory do something about it. --->
                                  </cfif>

                                   

                                  The ColdFusion documentation has sample code very similar to what is being provided here.

                                  • 14. Re: NTLM Authentication
                                    MacWiz1220 Level 1

                                    Thanks. That is what I needed to connect the form to the <cfldap>.

                                            username="{domain}\#FORM.USERNAME#"         password="#FORM.PASSWORD#"

                                    Thank you SO much!

                                     

                                    Now I just need to get that into a session... Thanks again.

                                    • 15. Re: NTLM Authentication
                                      TLC-IT Level 3

                                      NTLM security support is available under Apache.  "mod_ntlm" (or "mod_auth_ntlm") can be installed to do it.

                                       

                                      It is certainly true, however, that if you have IIS readily available (as you probably do), and if it will work just-as-well as Apache in your case, it does make good sense to "do as the Romans do."  An academic exercise, while interesting, is also unprofitable.

                                       

                                      In any case, this module (like mod_auth_ldap) can be used to secure the entire site "in one swell foop."  If the user manages to get into the site at all, he has passed authentication and his Windows credentials are known.  This is "the way to go" for intranets.

                                      • 16. Re: NTLM Authentication
                                        JR "Bob" Dobbs-qSBHQ2 Level 3

                                        I agree with " If the user manages to get into the site at all, he has passed authentication and his Windows credentials are known.  This is "the way to go" for intranets." as stated by TLC-IT.  If you decide to use Windows integrated authentication with IIS this Adobe technote may be useful to you.

                                         

                                        http://kb2.adobe.com/cps/185/tn_18516.html