Forum OpenACS Q&A: SingleSignOn Implementation
I'm trying to implement a single sign on to our OpenACS web application, where users who are logged in on windows and have an ActiveDirectory user, should be logged in automatically at the web application.
We are using NaviServer 4.99.
I have already installed openldap and with ns_authpam I can let the user login with his AD login credentials and get further information about the user from ldap.
I tried to use kerberos (and got a keytab file from the AD provider for our domain) for the SSO but I'm not getting any information about if the user is authorized from the header. For aolserver I found spnego which could help maybe, but I did not find something like that for naviserver.
Has somebody experience with that or know what modules/tools should be used?
Hi and welcome.
I believe this should work with the TWAPI SSPI package http://twapi.sourceforge.net/v4.0/sspi.html
You may need ASN too https://core.tcl.tk/tcllib/doc/trunk/embedded/www/tcllib/files/modules/asn/asn.html
I forgot to mention, that we use Ubuntu 14.04 on our Server where the NaviServer is installed.
The AD is on another Server installed.
TWAPI SSPI requires Windows.
The implementation of NaviServer (and aolserver) module is based on the Apache module mod_spnego  and supports Kerberos. I have just helped porting and compiling the module. Sabine says that it works nice for Single-sign-on for their customers. The NaviServer modules is available from 
No this package is meant to login the user who is currenty logged in as a Single Sign On Solution.
If you want a Single Credential Solution where you can login any user from a specified AD, you can use openldap with ns_authpam. You have to build your own prompt form and check the input with ns_authpam.
This is how we do SSO in ]project-open[:
"Real" SSO Windows -> ]po[:
We implement "real" SSO in a Windows Server based infrastructure by a small Web site running on an M$ IIS a small .asp script that authenticates the user against the M$ domain.
sUser = Request.ServerVariables("AUTH_USER")
So we know who is the guy visiting this page. Then we generate a crypto-token and forward the user to a ]po[ page that checks the token. You can find these files in the ]po[ package intranet-core/www/single-sign-on/, available for anonymous from the ]po[ CVS server on HEAD.
So this is "real" SSO, because the user doesn't need to provide his or her password.
ActiveDirectory -> ]po[
As an alternative, ]po[ has a special package to authenticate a user against a Windows Active Directory called "auth-ldap-adldapsearch" and available from ]po[ CVS. This package is based on auth-ldap, but includes code specific for M$ Active Directory and the LDAP scheme they are using. It also includes code for parsing the AD user directory and to batch-import these users into OpenACS / ]po[.
All relevant code is available with GPL V2 or higher license.