Drupal 7: automatically logging users in with their Windows credentials (LDAP, NTLM)
So you want to build an intranet site with a seamless onboarding process that doesn't require users to remember yet another login? This is hard to do and a lot of things can go wrong along the way. Hopefully some of the below steers you through these treacherous waters.
I built an intranet using Drupal 7, the Apache web server running on Windows Server 2012. There are many layers and each of them needs work.
First, some terminology:
- LDAP - lightweight directory access protocol. Most windows networks have a server somewhere that is a central repository of login information. Whenever someone on the network logs into Windows on their PC, LDAP is used to talk to the LDAP server and check if what is typed is valid. So if you have an intranet web site that needs to let people log in using their windows credentials then that site is going to need to connect to a certain server and use LDAP to communicate with it.
- NTLM - this makes it possible for client web browsers to send the windows credentials being used to web servers. You want to use this so that users don't need to type their username and password to log in. When combined with LDAP you can make the intranet web site appear to magically 'just know' who is browsing it.
Enable the LDAP extension by editing php.ini and adding this line:
Use phpinfo(); to check that the extension is being loaded properly.
You'll need the LDAP modules for drupal. Getting LDAP logins working varies a lot as Active Directory can be set up a variety of ways. I can't provide detailed steps for this as every situation is different so instead I'll just describe a few things I wish I knew before diving in.
- Enable the LDAP SSO (and dependencies), plus LDAP Authorization - Drupal Roles modules.
- The LDAP Help module can be really good - it runs some checks to ensure you have all the prerequisites you need.
- On the very first settings screen for the LDAP module (admin/config/people/ldap) there is a checkbox to enable detailed logging of everything the module does. Enable that before you do anything else as without it you'll be steering blind.
- Use an LDAP browser such as Apache Directory Studio to explore the Active Directory tree and find out the various things you need to put into the settings of the drupal LDAP module.
- I was trying to have the users drupal role assigned based on their AD groups but mysteriously it was necessary to UN-tick the checkbox saying "A user LDAP attribute such as memberOf exists that contains a list of their groups" for this to happen even though there is a memberOf attribute...
- In authentication->single sign on, tick 'Strip REMOTE_USER domain name' and 'Turn on automated / seamless single sign-on'. You might like to save this step until you have Apache set up, as below.
Enable the Apache LDAP module by editing the appropriate .conf file and adding
LoadModule ldap_module modules/mod_ldap.so
The only NTLM module I could find that worked on the 64 bit version of Apache was at ApacheHaus. That module needed this line in httpd.conf
LoadModule auth_ntlm_module modules/mod_authn_ntlm.so
Add a <Location> directive so that the drupal ldap_sso module is triggered
<Location /user/login/sso >
AuthName "Private location"
You might prefer to have <Location /> to restrict access to the entire intranet rather than having users log in by going to /user/login/sso.
Initially you should set up a <Location test.php> and create a test PHP script in the root of your drupal installation with this code in it:
$cred = explode('\\',$_SERVER['REMOTE_USER']);
if (count($cred) == 1) array_unshift($cred, "(no domain info - perhaps SSPIOmitDomain is On)");
list($domain, $user) = $cred;
echo "You appear to be user <B>$user</B><BR/>";
echo "logged into the Windows NT domain <B>$domain</B><BR/>";
If you see a message saying "You appear to be user something something" then NTLM is working and you can move on to configure the NTLM part of drupal at http://yoursite/admin/config/people/ldap/authentication. Scroll down to the 'Single Sign-on' section, tick the 'Strip REMOTE_USER domain name' and 'Turn on automatied / seamless single sign-on' checkboxes.