[support] Drupal + IIS + windows

Metzler, David metzlerd at evergreen.edu
Fri Jan 30 16:49:34 UTC 2009 

I get it.  It might help to understand a bit about what the CAS module does.  
 
The CAS module is a single sign on module that does automatically log people in but only after checking with a centralized authentication server to verify that they've logged in elsewhere.  The idea behind the cas server is that it's a centralized place to login, and we don't want to expose the usernames and passwords to drupal.  Rather if the user needs to log in, we redirect the client to another location for login, and then when they come back do a quick check to make sure that they have authenticated.  If the have, establish a drupal user session. 
 
In our environment, we actually use this to authenticate against our MS Active Directory, but drupal never sees the user name and password. That's handled by the CAS server which does Kerberos auth against active directory.  You do have to specify your username and password, but that's authed by the CAS server against our active directory. 
 
Here's what the CAS module does: 
1.  At the beginning of the page load check to see if there's already a drupal session?  If so no need to interfere. 
2.  Since we're not logged in, Check and see if we "need to be", it may be ok to display a drupal page as anonymous user.( this is reg expression based on the path), but if we need to be authenticated. 
3.  If we need to be and we haven't logged in use the phpCAS library to ask the centralized server what user we're logged in as.  The phpCAS client does this via a curl request to the CAS server.   This is the part I think you can replace with a simple environment variable check. 
4.  Given the username try and load the drupal user. If the user exists then great we have a session established. 
5.  If the user doesn't exist, and the cas module is configured to automatically create accounts, create a local drupal account and establish a session as that user. 
 
There are some tricks of course, and the module exposes some configuration options, not all of which are relavent, but this is darn close to what you need. If you have any specific questions, don't hesitate to contact me off list. 
 
Dave
metzlerd at evergreen.edu
 
 

________________________________

From: support-bounces at drupal.org [mailto:support-bounces at drupal.org] On Behalf Of Néstor
Sent: Friday, January 30, 2009 8:08 AM
To: support at drupal.org
Subject: Re: [support] Drupal + IIS + windows


I work for a goverment agency and they tend to be MS shops but the reasons why we want Drupal is because 
we do not have the money in the budget and I like to bring in some open source to help change the IT mind
that MS is not the only way to go and that there are other choices.  We do have an intranet and was build in 
2001 and I want to implement somthing more current..

All the stuff you mentioned sounds so easy but it went over my head.  I will download the CAS and look at the
code to see if it means anything to me.

I am actually surprise that more people do not have the need for a module that automagically los users in.

Thanks all for your replies.

Nestor :-)


On Thu, Jan 29, 2009 at 8:24 AM, Metzler, David <metzlerd at evergreen.edu> wrote:


	In such an environment using drupal would be an uphill battle for sure, but if you've got drupal working, and you've got IIS to do NTLM, it would seem to me that you COULD write a drupal module to do what you're asking. 
	 
	Much of the code is the same as what is in the CAS module (which I maintain) at http://drupal.org/project/cas.  The primary difference is where drupal would get the username. If you got a copy of the cas module, and replaced the cas client code with a " get the logged in user from an IIS provided environment php environment" chunk of code, enabled the drupal is cas user repository checkbox set it up to require cas auth for all pages, you would have the starting point of a module that would, (I believe) do what you ask. 
	 
	Again, I don't know if its worth it.  If you're reaching for integration with Microsoft products then you might be better off with sharepoint, but if you're looking for all the kinds of things that drupal provides (modular extendibility, rich media integeration, etc) then this might be worth your effort.  Feel free to ask me any questions about the code if you're interested.
	
	Dave 

________________________________

	
	From: support-bounces at drupal.org [mailto:support-bounces at drupal.org] On Behalf Of Néstor
	
	Sent: Thursday, January 29, 2009 8:07 AM 

	To: support at drupal.org
	Subject: Re: [support] Drupal + IIS + windows
	

	Fletch,
	
	I few days left to help the cause for using Drupal but as long as I am unable to 
	set up the NLTM so that users do not have to log into drupal then we probably go with
	Sharepoint.  I have tried several of the solutions that I found when I googled but
	they have not work for me so far.
	 
	:-)
	
	
	On Tue, Jan 27, 2009 at 1:04 AM, John Fletcher <net at twoedged.org> wrote:
	

		Please let us know whether you end up going for SharePoint or Drupal, and why.

		 

		Regards,

		Fletch.

		 

		From: support-bounces at drupal.org [mailto:support-bounces at drupal.org] On Behalf Of Néstor
		Sent: Tuesday, 27 January 2009 3:44 AM
		To: support at drupal.org
		Subject: Re: [support] Drupal + IIS + windows

		 

		Gordon,
		
		Yes, I am interested.  I am planning on using IIS and IE in a windows environment.
		
		Any information you can provide would be helpful.
		
		We are making the decision between Drupal and Sharepoint and so far that is the one thing that
		Sharepoint has over drupal in our requirements. 
		
		Thanks,
		
		Rotsen

		On Mon, Jan 26, 2009 at 5:19 PM, Gordon Heydon <gordon at heydon.com.au> wrote:

		Hi,
		
		Yes I have gotten this to work before, but it only works on IE
		complete (FF will automatically ask for the user/password).
		
		Other issues is that it will not pass the password so Drupal has no
		idea of the password. Basically I had it working so that it placed
		trust in the ADS that the company used.
		
		I would be a bit more specific, but I can't find my original code.
		
		If you want to know more just let me know and I will see if I can find
		it.
		
		Gordon.

		
		On 27/01/2009, at 11:28 AM, Néstor wrote:
		
		> Hi people,
		>
		> I want to set up drupal in a windows + IIS environment and I want
		> the user not to have to log in
		> I want drupal to automatically knwo who they are.
		>
		> I am reading all kinds of stuff but some how I am not installing
		> them correct because they do not work
		>
		> Drupal + IIS + Windows and the user did not have to login because its
		> information was automagically pass to drupal.
		>
		> Did any of you people get this to work?
		>
		> Thanks,
		>
		> Nestor :-)

		> --

		> [ Drupal support list | http://lists.drupal.org/ ]
		
		--
		[ Drupal support list | http://lists.drupal.org/ ]

		 


		--
		[ Drupal support list | http://lists.drupal.org/ ]
		



	--
	[ Drupal support list | http://lists.drupal.org/ ]
	


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20090130/acb50f97/attachment.htm

More information about the support mailing list