Using Windows Login Credentials for Single Sign On (NTLM authentication)

22. March 2008

,

Oracle APEX, Security

Most users are lacy and don’t want to enter login credentials each time they start up an Oracle APEX application. They tell you,

“Hey I have already logged in into my computer, can’t you use that information for the APEX application?”.

Sure we can! The NTLM protocol is one way to do that.

Instructions on how to integrate mod_ntlm have been around for quite some time. See the article on HTMLDB Studio and a more up-to-date version by Martin Köb of GreenIT. But that always involves installing mod_ntlm on your Apache.

Jason Straub, a member of the Oracle APEX development team did some digging and found a PL/SQL only solution which doesn’t require mod_ntlm. Have a look at his first blog posting called “NTLM HTTP Authentication and Application Express” and welcome him as new member of the Oracle APEX blogging community!

Jason, welcome and keep blogging such great articles!

3 Responses to “Using Windows Login Credentials for Single Sign On (NTLM authentication)”

  1. Jason Straub Says:
    March 24th, 2008 at 21:34

    Patrick:

    Thanks for the plug. I have incorporated your suggestions.

    Jason

  2. jhonny Says:
    February 18th, 2009 at 19:55

    Patrick you should be careful not to trick readers into thinking that the pl/sql solution actually works :)
    As I’ve commented on jason’s blog he doesn’t authenticate against a domain controller. So mod_ntlm remains the solution.
    jason’s solution is cool but as he says in response to my comment:
    “The example posted here was meant as a PL/SQL only solution for tricking the browser into providing an NTLM token, and the decoding that token and using that value as the user in an Application Express application. It was meant to be used in some Intranet scenarios, and is obviously not meant to be a security solution.”
    So if you really want ntlm + apex you should go the mod_ntlm way. That’s what I did.
    Martin Köb also has a really good tutorial but he doesn’t include a way to have group membership checking against active directory.
    I know I’ve struggled enough with dbms_ldap to achieve it.
    I’ve written a tutorial that explains everything – from what active directory is – to how to have group membership.
    For those interested: http://withasmiletomeltathousandhearts.wordpress.com/2009/01/29/apex-windows-integrated-authentication/

  3. Patrick Wolf Says:
    March 1st, 2009 at 18:00

    Hi,

    you are right. BTW, really nice article explaining Active directory and what’s going on with mod_plsql.

    Patrick

Leave a Reply