[rt-users] NTLM-based Single Sign-On doesn't work - RT continues to present login screen

Ruslan Zakirov ruslan.zakirov at gmail.com
Thu Apr 15 13:31:09 EDT 2010

On Thu, Apr 15, 2010 at 3:47 AM, Gladkovich, Sergey
<SGladkovich at archinsurance.com> wrote:
> Hi,
> I have a working instance of RT 3.8.7 running under Apache 2.2.3 on RHEL
> 5.4.  The instance has been set up to authenticate users against Active
> Directory via RT::Authen::ExternalAuth & LDAP.  The LDAP authentication
> works fine (i.e. users log in with their AD credentials, and new users get
> created in RT when ticket requests come in via e-mail.)
> Now I need to implement Single Sign-On, so that the users at MSWin
> workstation could simply browse to the RT interface without having to type
> in their username/password again.  To do this I’ve followed the instructions
> outlined at http://blank.org/memory/output/rt-ad-sso.html and at
> http://wiki.bestpractical.com/view/NtlmAuthentication. I’ve also searched
> around the RT mailing list archives but couldn’t find anything that
> described the problem I’m having.
> The problem is that RT still presents the login screen when you go to its
> URL for the first time.
> My main questions are:
> Can NTLM & RT::Authen::ExternalAuth co-exist?

No, in terms of auth. As you use mod_ntlm and digest/basic HTTP auth,
so in RT you should enable WebExternalAuth to avoid login screen and
enable "trust apache auth". ExternalAuth extension also fetches info
from LDAP about users and put it into RT's DB. I'm not sure if this
extension still can do info fetching with WebExternalAuth enabled.

> Is there a way to get debugging output from mod_ntlm?

Read mod_ntlm docs.

> Are there any additional pointers or advice regarding single sign-on with
> RT?

In most cases single sign-on solutions are implemented as mod_xxxx for
apache, so apache does auth and pass username in environment variable
into RT. WebExternalAuth is the option to tell RT to trust the

> Besides this, any input on the issue would be highly appreciated.
> P.S.  Here what has been done so far, in a nutshell:

Best regards, Ruslan.

More information about the rt-users mailing list