Issues with auth_webserver in 2.0x compared to 1.9x

5 years 1 week ago #94748 by Andy_K
Andy_K created the topic: Issues with auth_webserver in 2.0x compared to 1.9x
Upgrading from Version 1.90+ Build 9642 to Version 2.00+ Build 130325.
Windows Server 2008 R2
IIS 7.5
PHP 5.4.11

We are installing fresh on a new server and new MySQL database with an import of the existing data, sowe are currently testing with the ability to make changes without harming the live system.

Installing the new version and the upgrade of old data went fine.
We are able to logon fine with the local account.

Set auth_webserver to true and setup the IIS authentication on the relevant admin folders.
Set auth_webserver_user_map to a shared Active Directory account to the local user.

Logging in with the shared account will successfully be recognised as the local account.
Logging in with an existing username from the old system will not be recognised.

We did some digging and narrowed it down to the following:
Webserver authentication works as the username is being passed along.
The username is not being recognised as being in the existing user list.
By getting it to output the user string at several points, the AD Domain is being stripped from the user string.

In the 1.9x version, the domain was kept intact so all the users are entered as DOMAIN\username
If this was a new installation this would not cause a problem, as we could just enter users as username-only, but we have an existing user base with historical data that we wish to preserve.

We were able to narrow it down to the following code fragment, lines 80 & 81 in UserIdentity.php
if (strpos($sUser,"\\")!==false) {
		$sUser = substr($sUser, strrpos($sUser, "\\")+1);

These strip out the domain from the username string, meaning that the authenticated usernames no longer match those in the existing user list. We can get it to work by commenting out the lines but we are hesitant to go live with this approach as it could be affected by future updates.

This leaves us with a few questions:

Is this a bug? As 1.9x behaviour is significantly changed for 2.0x
Is this the new expected behaviour?
If this is the behaviour going forward, is it possible for us to edit the existing user list to not include "DOMAIN\" portion? Can we edit it directly in the database, or would that impact data integrity?

Please Log in or Create an account to join the conversation.

5 years 1 week ago #94776 by mdekker
mdekker replied the topic: Issues with auth_webserver in 2.0x compared to 1.9x
At first web auth was lost in 2.00 and it was added back in later. It was not mentioned/noticed before that the behaviour had changed. Please file a bug report about this and we will discuss this in the team.

You can copy your message in the bug report.

Menno Dekker

Please Log in or Create an account to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now
Join our Newsletter!