Windows Single Sign-On (SSO)

This article describes how providing single sign-on facility to your backend users (BE users) and/or frontend users (FE users) by silently authenticating them against Active Directory (MS Windows Server) using  NTLM scheme.

If you want to configure single sign-on using Kerberos instead, you may try  this other tutorial (for the Apache part). I did not test it though.

NTLM authentication module for Apache2

First of all, we need mod_ntlm2 available from

To compile it, you’ll need apxs which is provided by the development package of Apache in your preferred Linux distribution. Instructions for Debian are available  here (yes, this time, I did not test it with Debian but configured it for RedHat Enterprise 5, 64 bit).

Thus, insert your RedHat DVD, mount it to something like /mnt/cdrom. If you don’t have gcc installed yet, start by installing it:

# cd /mnt/cdrom/Server
# rpm -ivh kernel-headers-2.6.18-128.el5.x86_64.rpm
# rpm -ivh glibc-headers-2.5-34.x86_64.rpm
# rpm -ivh glibc-devel-2.5-34.x86_64.rpm
# rpm -ivh libgomp-4.3.2-7.el5.x86_64.rpm
# rpm -ivh gcc-4.1.2-44.el5.x86_64.rpm

Now install packages needed to get the apxs tool:

# cd /mnt/cdrom/Server
# rpm -ivh apr-devel-1.2.7-11.x86_64.rpm
# rpm -ivh db4-devel-4.3.29-9.fc6.x86_64.rpm
# rpm -ivh expat-devel-1.95.8-8.2.1.x86_64.rpm
# rpm -ivh cyrus-sasl-devel-2.1.22-4.x86_64.rpm
# rpm -ivh openldap-devel-2.3.43-3.el5.x86_64.rpm
# rpm -ivh apr-util-devel-1.2.7-7.el5.x86_64.rpm
# rpm -ivh httpd-devel-2.2.3-22.el5.x86_64.rpm

You should have the downloaded mod_ntlm2-0.1.tar.gz at hand. Untar it using:

# tar xzf mod_ntlm2-0.1

Unfortunately, it won’t compile successfully with Apache 2.2. Let’s patch it before actually compiling it. Apply this to the sources:

diff -Naur mod_ntlm2-0.1/Makefile mod_ntlm2-0.1-fixed/Makefile
--- mod_ntlm2-0.1/Makefile	2003-02-25 12:25:42.000000000 +0100
+++ mod_ntlm2-0.1-fixed/Makefile	2010-02-15 14:57:10.000000000 +0100
@@ -17,7 +17,7 @@
 #   install the shared object file into Apache 
 install: all
-	$(APXS) -i -a -n 'ntlm'
+	$(APXS) -i -a -n 'ntlm'
 #   cleanup
diff -Naur mod_ntlm2-0.1/mod_ntlm.c mod_ntlm2-0.1-fixed/mod_ntlm.c
--- mod_ntlm2-0.1/mod_ntlm.c	2003-02-23 16:58:02.000000000 +0100
+++ mod_ntlm2-0.1-fixed/mod_ntlm.c	2010-02-15 14:55:59.000000000 +0100
@@ -587,7 +587,13 @@
         return NULL;
-    apr_pool_sub_make(&sp,p,NULL);
+    /*
+     * apr_pool_sub_make(&sp,p,NULL);
+     *
+     * This function call is not longer available with apache 2.2
+     * Try replacing it with apr_pool_create_ex()
+     */
+    apr_pool_create_ex(&sp,p,NULL,NULL);
     while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
         if ((l[0] == '#') || (!l[0]))
diff -Naur mod_ntlm2-0.1/smbval/ mod_ntlm2-0.1-fixed/smbval/
--- mod_ntlm2-0.1/smbval/	2003-02-21 02:55:14.000000000 +0100
+++ mod_ntlm2-0.1-fixed/smbval/	2010-02-15 14:52:51.000000000 +0100
@@ -22,8 +22,8 @@
 #include <stdio.h>
 #include <malloc.h>
-static int SMBlib_errno;
-static int SMBlib_SMB_Error;
+int SMBlib_errno;
+int SMBlib_SMB_Error;
 #define uchar unsigned char
 #include "smblib-priv.h"
@@ -32,7 +32,7 @@
 #include <signal.h>
-static SMB_State_Types SMBlib_State;
+SMB_State_Types SMBlib_State;
 /* Initialize the SMBlib package     */
 static int

Then compile it and install it:

# make
# make install

Edit file /etc/httpd/conf/httpd.conf. You have to make search KeepAlive option is set to “On”, and not to the default value “Off”:

KeepAlive On

Restart Apache.

Testing the single sign-on

It’s now time to test that single sign-on works.

We will protect an arbitrary directory and put some file in to see whether single sign-on works.

Create file /etc/httpd/conf.d/ntlm-test.conf:

<location /test>
AuthType NTLM
NTLMAuth on
NTLMAuthoritative off
NTLMDomain your-domain
NTLMServer your-primary-domain-controller
NTLMBackup your-secondary-domain-controller

Require valid-user

Restart Apache. Your /test directory is now protected!

Create an index.php file into the /test directory previously configured to be protected:

echo 'Logged in as <strong>' . $_SERVER['REMOTE_USER'] . '</strong>';

Navigate to your page. You should read something similar to:

Configuring TYPO3 to use single sign-on

First of all, you may remove file /etc/httpd/conf.d/ntlm-test.conf if it still exists. Now, you may either add configuration to your .htaccess file (root of your website) or in a dedicated config file as for the test made before, it’s up to you. Below is the configuration to be put into something like /etc/httpd/conf.d/ntlm-yourwebsite.conf:

<directory /path/to/your/website>
AuthType NTLM
NTLMAuth on
NTLMAuthoritative off
NTLMDomain your-domain
NTLMServer your-primary-domain-controller
NTLMBackup your-secondary-domain-controller

Order deny,allow
Deny from all

# This server (indexed_search without Windows login)
Allow from

# For all users, login required
Require valid-user

# Any of the two previous conditions should match
Satisfy Any

Of course, you should restart Apache…

You now need some SSO extension to be installed in TYPO3. You may use for instance  apacheauth which works great for both Frontend and Backend users. By reading the code of this extension, I would suggest editing file ext_localconf.php and changing the “if” block at the beginning to read this instead:

if ($_EXTCONF['enable.']['FEUsers']) {
	$TYPO3_CONF_VARS['SVCONF']['auth']['setup']['FE_fetchUserIfNoSession'] = 1;
	$subtypes[] = 'getUserFE,authUserFE';
if ($_EXTCONF['enable.']['BEUsers']) {
	$TYPO3_CONF_VARS['SVCONF']['auth']['setup']['BE_fetchUserIfNoSession'] = 1;
	$subtypes[] = 'getUserBE,authUserBE';

That is, replace *_alwaysFetchUser by *_fetchUserIfNoSession, which according to service documentation should be better for single sign-on mechanism.

Removing the username/password prompt

Perhaps you still don’t have (yet) a real single sign-on as your browser keeps showing you the username/password prompt (hereafter in Firefox and Internet Explorer):

Firefox Tweaking

Internet Explorer Tweaking