<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16788" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2>I get it. It might help to understand a bit about
what the CAS module does. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2>The CAS module is a single sign on module that does
automatically log people in but only after checking with a centralized
authentication server to verify that they've logged in elsewhere. The idea
behind the cas server is that it's a centralized place to login, and we don't
want to expose the usernames and passwords to drupal. Rather if the user
needs to log in, we redirect the client to another location for login, and then
when they come back do a quick check to make sure that they have
authenticated. If the have, establish a drupal user session.
</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2>In our environment, we actually use this to authenticate
against our MS Active Directory, but drupal never sees the user name and
password. That's handled by the CAS server which does Kerberos auth against
active directory. You do have to specify your username and password, but
that's authed by the CAS server against our active directory.
</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2>Here's what the CAS module does: </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2>1. At the beginning of the page load check to see if
there's already a drupal session? If so no need to interfere.
</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2>2. Since we're not logged in, Check and see if we
"need to be", it may be ok to display a drupal page as anonymous user.( this is
reg expression based on the path), but if we need to be authenticated.
</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2>3. If we need to be and we haven't logged in use
the phpCAS library to ask the centralized server what user we're logged in
as. The phpCAS client does this via a curl request to the CAS server.
This is the part I think you can replace with a simple environment
variable check. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009></SPAN><SPAN
class=105523116-30012009><FONT face=Arial color=#0000ff size=2>4. Given
the username try and load the drupal user. If the user exists then great we
have a session established. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2>5. If the user doesn't exist, and the cas module is
configured to automatically create accounts, create a local drupal account and
establish a session as that user. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2>There are some tricks of course, and the module exposes
some configuration options, not all of which are relavent, but this is darn
close to what you need. If you have any specific questions, don't hesitate to
contact me off list. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2>Dave</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2><A
href="mailto:metzlerd@evergreen.edu">metzlerd@evergreen.edu</A></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=105523116-30012009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> support-bounces@drupal.org
[mailto:support-bounces@drupal.org] <B>On Behalf Of </B>Néstor<BR><B>Sent:</B>
Friday, January 30, 2009 8:08 AM<BR><B>To:</B>
support@drupal.org<BR><B>Subject:</B> Re: [support] Drupal + IIS +
windows<BR></FONT><BR></DIV>
<DIV></DIV>I work for a goverment agency and they tend to be MS shops but the
reasons why we want Drupal is because <BR>we do not have the money in the budget
and I like to bring in some open source to help change the IT mind<BR>that MS is
not the only way to go and that there are other choices. We do have an
intranet and was build in <BR>2001 and I want to implement somthing more
current..<BR><BR>All the stuff you mentioned sounds so easy but it went over my
head. I will download the CAS and look at the<BR>code to see if it means
anything to me.<BR><BR>I am actually surprise that more people do not have the
need for a module that automagically los users in.<BR><BR>Thanks all for your
replies.<BR><BR>Nestor :-)<BR><BR>
<DIV class=gmail_quote>On Thu, Jan 29, 2009 at 8:24 AM, Metzler, David <SPAN
dir=ltr><<A
href="mailto:metzlerd@evergreen.edu">metzlerd@evergreen.edu</A>></SPAN>
wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>In such an
environment using drupal would be an uphill battle for sure, but if you've got
drupal working, and you've got IIS to do NTLM, it would seem to me that you
COULD write a drupal module to do what you're asking. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Much of
the code is the same as what is in the CAS module (which I maintain) at <A
href="http://drupal.org/project/cas"
target=_blank>http://drupal.org/project/cas</A>. The primary difference
is where drupal would get the username. If you got a copy of the cas module,
and replaced the cas client code with a " get the logged in user
from an IIS provided environment php environment" chunk of code,
enabled the drupal is cas user repository checkbox set it up
to require cas auth for all pages, you would have the starting point
of a module that would, (I believe) do what you ask. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Again, I
don't know if its worth it. If you're reaching for integration with
Microsoft products then you might be better off with sharepoint, but if you're
looking for all the kinds of things that drupal provides (modular
extendibility, rich media integeration, etc) then this might be worth your
effort. Feel free to ask me any questions about the code if you're
interested.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2><BR>Dave</FONT> </SPAN></DIV><BR>
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2>
<DIV class=Ih2E3d><B>From:</B> <A href="mailto:support-bounces@drupal.org"
target=_blank>support-bounces@drupal.org</A> [mailto:<A
href="mailto:support-bounces@drupal.org"
target=_blank>support-bounces@drupal.org</A>] <B>On Behalf Of
</B>Néstor<BR></DIV><B>Sent:</B> Thursday, January 29, 2009 8:07 AM
<DIV>
<DIV></DIV>
<DIV class=Wj3C7c><BR><B>To:</B> <A href="mailto:support@drupal.org"
target=_blank>support@drupal.org</A><BR><B>Subject:</B> Re: [support] Drupal +
IIS + windows<BR></DIV></DIV></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV class=Wj3C7c>
<DIV></DIV>Fletch,<BR><BR>I few days left to help the cause for using Drupal
but as long as I am unable to <BR>set up the NLTM so that users do not have to
log into drupal then we probably go with<BR>Sharepoint. I have tried
several of the solutions that I found when I googled but<BR>they have not work
for me so far.<BR> <BR>:-)<BR><BR>
<DIV class=gmail_quote>On Tue, Jan 27, 2009 at 1:04 AM, John Fletcher <SPAN
dir=ltr><<A href="mailto:net@twoedged.org"
target=_blank>net@twoedged.org</A>></SPAN> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV lang=EN-AU link="blue" vlink="purple">
<DIV>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(102,51,0)">Please let us know
whether you end up going for SharePoint or Drupal, and why.</SPAN></P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(102,51,0)"></SPAN> </P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(102,51,0)">Regards,</SPAN></P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(102,51,0)">Fletch.</SPAN></P>
<P><SPAN style="FONT-SIZE: 11pt; COLOR: rgb(102,51,0)"></SPAN> </P>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0cm; BORDER-TOP: rgb(181,196,223) 1pt solid; PADDING-LEFT: 0cm; PADDING-BOTTOM: 0cm; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P><B><SPAN lang=EN-US style="FONT-SIZE: 10pt">From:</SPAN></B><SPAN
lang=EN-US style="FONT-SIZE: 10pt"> <A
href="mailto:support-bounces@drupal.org"
target=_blank>support-bounces@drupal.org</A> [mailto:<A
href="mailto:support-bounces@drupal.org"
target=_blank>support-bounces@drupal.org</A>] <B>On Behalf Of
</B>Néstor<BR><B>Sent:</B> Tuesday, 27 January 2009 3:44 AM<BR><B>To:</B> <A
href="mailto:support@drupal.org"
target=_blank>support@drupal.org</A><BR><B>Subject:</B> Re: [support] Drupal
+ IIS + windows</SPAN></P></DIV>
<DIV>
<DIV></DIV>
<DIV>
<P> </P>
<P style="MARGIN-BOTTOM: 12pt">Gordon,<BR><BR>Yes, I am interested. I
am planning on using IIS and IE in a windows environment.<BR><BR>Any
information you can provide would be helpful.<BR><BR>We are making the
decision between Drupal and Sharepoint and so far that is the one thing
that<BR>Sharepoint has over drupal in our requirements.
<BR><BR>Thanks,<BR><BR>Rotsen</P>
<DIV>
<P>On Mon, Jan 26, 2009 at 5:19 PM, Gordon Heydon <<A
href="mailto:gordon@heydon.com.au"
target=_blank>gordon@heydon.com.au</A>> wrote:</P>
<P>Hi,<BR><BR>Yes I have gotten this to work before, but it only works on
IE<BR>complete (FF will automatically ask for the
user/password).<BR><BR>Other issues is that it will not pass the password so
Drupal has no<BR>idea of the password. Basically I had it working so that it
placed<BR>trust in the ADS that the company used.<BR><BR>I would be a bit
more specific, but I can't find my original code.<BR><BR>If you want to know
more just let me know and I will see if I can find<BR>it.<BR><SPAN
style="COLOR: rgb(136,136,136)"><BR>Gordon.</SPAN></P>
<DIV>
<DIV>
<P><BR>On 27/01/2009, at 11:28 AM, Néstor wrote:<BR><BR>> Hi
people,<BR>><BR>> I want to set up drupal in a windows + IIS
environment and I want<BR>> the user not to have to log in<BR>> I want
drupal to automatically knwo who they are.<BR>><BR>> I am reading all
kinds of stuff but some how I am not installing<BR>> them correct because
they do not work<BR>><BR>> Drupal + IIS + Windows and the user did not
have to login because its<BR>> information was automagically pass to
drupal.<BR>><BR>> Did any of you people get this to
work?<BR>><BR>> Thanks,<BR>><BR>> Nestor :-)</P></DIV></DIV>
<P>> --</P>
<DIV>
<DIV>
<P>> [ Drupal support list | <A href="http://lists.drupal.org/"
target=_blank>http://lists.drupal.org/</A> ]<BR><BR>--<BR>[ Drupal support
list | <A href="http://lists.drupal.org/"
target=_blank>http://lists.drupal.org/</A> ]</P></DIV></DIV></DIV>
<P> </P></DIV></DIV></DIV></DIV><BR>--<BR>[ Drupal support list | <A
href="http://lists.drupal.org/" target=_blank>http://lists.drupal.org/</A>
]<BR></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV><BR>--<BR>[ Drupal support list
| <A href="http://lists.drupal.org/"
target=_blank>http://lists.drupal.org/</A>
]<BR></BLOCKQUOTE></DIV><BR></BODY></HTML>