<br><div class="gmail_quote">On Wed, Feb 23, 2011 at 9:04 AM, Michael Brown <span dir="ltr"><<a href="mailto:mbrown@fensystems.co.uk">mbrown@fensystems.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On Wednesday 23 Feb 2011 15:38:44 john s. wrote:<br>
> I have an Comprehensive Question about SSO in Relation to LDAP<br>
><br>
> Is it possible with LDAP to get Access on an sso client with an Computer in<br>
> a Network ( e.g RT) by start the Computer with an network windows logon<br>
> ..........?<br>
><br>
> Or i have to do this with ntlm?<br>
<br>
</div>You can use Kerberos to do this. From memory, you need to make sure that DNS<br>
is working perfectly (including reverse lookups), and you will need to ensure<br>
that the browser is prepared to use Kerberos to authenticate against your RT<br>
server. For IE, this means designating the RT server as part of the<br>
"Intranet" zone; for Firefox you can use about:config and add the RT server to<br>
network.negotiate-auth.trusted-uris.<br>
<br>
On the server side, you want something like this in .htaccess:<br>
<br>
AuthType Kerberos<br>
AuthName "Kerberos Login"<br>
KrbMethodNegotiate On<br>
KrbMethodK5Passwd Off<br>
KrbAuthRealms <insert your Kerberos realm here><br>
Krb5KeyTab /etc/httpd/conf/keytab<br>
Require valid-user<br>
</blockquote></div><br>You may also need to set AllowOverride in your Apache config to allow
some of these directives to be placed in .htaccess--some configurations
have this set to "none" by default.<br>
<br> * <a href="http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride" target="_blank">http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride</a><br>