auto login with windows credentials

[browndogforever]

Is there a was to have sugar bypass the login screen and just use the AD user the person is logged into the domain with?


Windows server 2003
Sugar 5.1.0a faststack
Using LDAP

[eggsurplus]

Are you talking about a SSO solution like Kerberos?

[browndogforever]

Yes I believe so.

[eggsurplus]

It may be possible with some custom coding. However, this is rarely implemented as it's a huge security risk as anyone who gets access to the machine that is logged in then has the ability to go into Sugar as that user. There are a couple of limitations of a solution like Kerberos as well but I can't recall them off hand. What I'd recommend in your case is just doing a simple LDAP authentication so that they don't need another user/pass.

[browndogforever]

I am using LDAP. The issue is when they close the browser they need to re-login this happens several times a day. My domain and machine policies are solid. Just looking for a way to make it easier on the user.

[kuske]

Just searching resp. developing such a solution.

The problem is that the webserver does not know who you are!
And there is no simple way for the webserver to find the calling user.

If you want to use cookies this implements a big security gap!

One possible solution could be to ask the LDAP system "who is the user on remote ip address $SERVER[REMOTE_HOST]" and than use this user for login.
This is a security gab too, even if it is not so big as the above mentioned.

A real good solution I could see yesterday on the SugarConference in Munich, it works with an USB stick for user identification.

[dorphalsig]

Just searching resp. developing such a solution.

The problem is that the webserver does not know who you are!
And there is no simple way for the webserver to find the calling user.

I've implemented this for SugarCE 4.5 and SugarOS 5.0 running on a win2k3 server, single sign-on. Its got two parts.
The first one, where the user gets authenticated vs AD and the second one the valid user obtained from the previous step is validated vs the sugar users database (no password is checked at this point, so no login screen will appear).