I recently finished up a project for a company intranet using Windows. Though Windows is not my favorite environment, Django works flawlessly there so it usually doesn't present many problems. One of the features needed for the site was automatic authentication through integrated Windows security. To achieve this, I used an Apache module called modauthsspi to authenticate the user, and then modified Django to accept the server-supplied authentication. I had some difficulty finding clear instructions on how to do this, so I decided to make this the first post on the Adoleo Blog so that I can share this detailed howto with others in my situation.
Getting started
First, start with a working installation of Apache + Django on Windows. I'm using modpython, but I believe this tutorial should also work for modwsgi. If you need assistance setting Django up in a Windows environment, I found this link to be very helpful.
In my situation, I was already using the built-in django.contrib.auth, so I already had a superuser defined. This is not necessary, but I found it made things easy for me when I needed to set the auto-created User object up as a superuser later.
Installing modauthsspi
Download modauthsspi from SourceForge using this link.
Extract it, and then open the /modauthsspi-1.0.4/bin folder.
Copy modauthsspi.so to your Apache modules directory. Mine was at C:/Program Files/Apache Software Foundation/Apache2.2/modules.
Copy sspipkgs.exe to your Apache bin directory. Mine was C:/Program Files/Apache Software Foundation/Apache2.2/bin.
Configuring Apache
To configure Apache to use the module you just installed, you need to modify your httpd.conf. Add the following lines underneath the other LoadModule statements in the file:
<IfModule !mod_auth_sspi.c>
LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>
Then, add the following lines to the Location setting for your Django project:
AuthName "YOURDOMAIN"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain "YOURDOMAIN"
SSPIOmitDomain On
SSPIUsernameCase "upper"
SSPIPerRequestAuth On
Require valid-user
Change AuthName and SSPIDomain to your domain name. You can use “upper” or “lower” in SSPIUsernameCase, depending on your preference. For reference, my location setting looked similar to this:
<Location "/">
AuthName "YOURDOMAIN"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain "YOURDOMAIN"
SSPIOmitDomain On
SSPIUsernameCase "upper"
SSPIPerRequestAuth On
Require valid-user
SetHandler python-program
PythonPath "['C:/django-projects','C:/django-plugins'] + sys.path"
PythonHandler django.core.handlers.modpython
SetEnv DJANGO_SETTINGS_MODULE myproject.settings
PythonDebug On
</Location>
Customizing the Django authentication backend and middleware
Next, Apply the most recent patch from ticket #689. You can get an up-to-date patch from this link.
After that open up your settings.py and add django.contrib.auth.middleware.RemoteUserAuthMiddleware to your MIDDLEWARECLASSES setting. Create a new AUTHENTICATIONBACKENDS setting to replace the default, and populate it with django.contrib.auth.backends.RemoteUserAuthBackend. After doing this, the authentication and middleware sections of my settings.py file looked like this:
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.middleware.doc.XViewMiddleware',
'django.contrib.redirects.middleware.RedirectFallbackMiddleware',
'django.contrib.auth.middleware.RemoteUserAuthMiddleware',
)
AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.RemoteUserAuthBackend',
)
Creating a superuser
At this point, the work is mostly done! Restart Apache, and fire up your browser. If you’re using IE and you are on the domain indicated in your httpd.conf, then it normally won't even prompt for the username and password.
The new backend and middleware will create a new user your Windows username. This user will not yet be able to log into the Admin console, however. To correct this, go back into your settings.py and comment out the RemoteUserAuthMiddleware line and the entire AUTHENTICATION_BACKENDS section.
Restart Apache, and log in with your previously established superuser. Fire up the admin interface and edit your newly created Windows-based user to add superuser privelages. Then, go back to settings.py, uncomment, restart Apache, and you should be all set. I deleted my old superuser and I'm using the Windows user from now on.
Hopefully this has helped you get up and running a lot faster than I did. Let me know in the comments if I've botched any part of this howto, and I'll be glad to update it.
Thanks!