Require Group Policy Does Not Work for Windows 2008 Server AD Group

advertisements

I am trying to implement windows authentication using mod_sspi_auth module. I am able to implement basic implementation of this module after configuring httpd.conf of apache 2.2. The configuration I have applied is for location tag,

AuthName "Windows Authentication Test"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative Off
SSPIDomain test.domain.com
SSPIOfferBasic On
SSPIOmitDomain Off
SSPIUsernameCase lower
Require valid-user

And its working correctly with one issue. When I am trying access my website from the machine which is not present in my domain, that machine is getting authenticated with my application server machine. Which is not expected. :confused:

Now I want to authenticate group of users, which i created in windows server 2008 AD. I have added some users in this group, and using Require group directive of apache I have tried to use "Require Group" directive with multiple combination. But still i am stuck to the problem of not authenticating the group users. The configuration in httpd.conf location tag for group combination is

AuthName "Windows Authentication Test"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative Off
SSPIDomain test.domain.com
SSPIOfferBasic On
SSPIOmitDomain Off
SSPIUsernameCase lower
Require group test.domain.com\mygroup

Others combination that I have already tried with Require directive are as follow. 1. Require group "test.domain.com\mygroup" 2. Require group mygroup 3. Require group "mygroup" 4. Require Group "CN=abc,DC=test.domain.com" 5. Require Group CN=abc,DC=test.domain.com

Can any one help me on this..?????


Try to use LocationMatch for group restrictions. My instance worked using 2 part configuration, that looks like this.

<Location />
    AuthName "Windows Authentication Test"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative Off
    SSPIDomain test.domain.com
    SSPIOfferBasic On
    SSPIOmitDomain Off
    SSPIUsernameCase lower
    Require valid-user
</Location>

For group restrictions, i use this:

<LocationMatch "/">
  Require group test.domain.com\mygroup
</LocationMatch>

About your confusion, users logged in using AD credentials to computers joined to the domain will automatically authenticate using IE or other NTLM supported browsers. But for machines not joined to the domain, or non-AD users on domain machines will be prompted for authentication.