I’m not a huge fan of Moodle, its basically a unsupportable mess. However the price: Free, is very appealing in the times of no money and so we are stuck with using it. One of the nice features is that of SSO using NTLM authentication. We use Microsoft Windows 2008 R2 with IIS 7.5 and PHP 5.4.9 with a Microsoft SQL 2008 R2 back end. We’re a Microsoft shop so using Linux (although i’m capable, i’m the only one who knows how to use it.)
So with SSO i’m going to assume you have it all setup already as per these instructions: http://docs.moodle.org/24/en/NTLM_authentication
The key is that the two main components of Moodle’s file storage (moodle – website files and moodledata – the content) are configured with the correct security permissions, if they are not the SSO will fail with some odd errors, but its very hard to find out why. The example errors are shown below:
From the WWW logs of IIS:
2013-05-30 11:16:55 172.xxx.5.219 GET /auth/ldap/ntlmsso_magic.php sesskey=UPBMw7jfE7 80 DOMAIN\fred.bloggs1 172.xxx.60.157 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.
NET+CLR+3.5.30729;+.NET4.0C;+.NET4.0E;+InfoPath.3) 503 0 0 187
Notice the 503 at the end, you are getting a 503 error message.
So when logging in with NTLM, even though all is configured as per the instructions, and you’ve added the site URL to the trusted site list of IE on the client, you get it saying “NTLM SSO failed” and then redirected with the normal logon page instead. Entering your details you get in fine, but you are just not logged in with NTLM automatically.
So what can you do…..
You need to ensure the permissions of the moodle and moodledata folders are configured correctly see the below for an indication of a working configuration, note: the permissions in green are the ones you may need to adjust, if the others don’t appear you have probably changed something to do with your NTFS permissions.
In my case it was the “Domain Users (DOMAIN\Domain Users)” group I needed to add to the moodledata folder permissions as: Modify, read & execute, list folder contents, read and write, or the NTLM authenticated user was not getting logged in ok.
C:\inetpub\wwwroot\ – The Moodle website files storage location.
CREATOR OWNER (Group) – Special
IUSR (Group) – Modify Read & Execute, List Folder Contents, Read, Write
SYSTEM (Group) – Full Control
Administrators (ServerName\Administrators) (Group) – Full Control
Users (ServerName\Users) (Group) – Read & Execute, List Folder Contents, Read
IIS_IUSRS (ServerName\IIS_IUSRS) – Read & Execute, List Folder Contents, Read
TrustedInstaller – Full Control
C:\inetpub\moodledata\ – The Moodle website files storage location.
CREATOR OWNER (Group) – Special
IUSR (Group) – Modify Read & Execute, List Folder Contents, Read, Write
SYSTEM (Group) – Full Control
Administrators (ServerName\Administrators) (Group) – Full Control
Users (ServerName\Users) (Group) – Read & Execute, List Folder Contents, Read
IIS_IUSRS (ServerName\IIS_IUSRS) – Read & Execute, List Folder Contents, Read
TrustedInstaller – Full Control
Domain Users (DOMAIN\Domain Users) (Group) – Modify Read & Execute, List Folder Contents, Read, Write
So you need to ensure that the “MoodleData” folder is configured with the correct permissions, or the user cannot access the storage and therefore the login appears to fail, the issue is that moodle doesn’t tell you there is an error it just stops the NTLM working, you can login fine manually. My guess is the NTLM SSO tries to access a file, that the user doesn’t have access to and it fails, or that when you login with the login form, you are being logged in as the web server user rather than NTLM so your user account doesn’t need access to the files in the same way.
You may also need to add the Domain Users domain group to the moodle wwwroot folder too, but i’ve not had a reason to do this…..yet.
Anyway see how you go.