{"id":15046620,"url":"https://github.com/auth0/passport-windowsauth","last_synced_at":"2025-04-04T21:08:43.808Z","repository":{"id":494683,"uuid":"8274348","full_name":"auth0/passport-windowsauth","owner":"auth0","description":"Windows Authentication strategy for Passport.js","archived":false,"fork":false,"pushed_at":"2024-06-07T16:11:07.000Z","size":57,"stargazers_count":180,"open_issues_count":40,"forks_count":51,"subscribers_count":113,"default_branch":"master","last_synced_at":"2025-03-28T20:07:48.867Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/auth0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-02-18T18:24:04.000Z","updated_at":"2025-01-08T20:08:32.000Z","dependencies_parsed_at":"2024-06-07T17:52:33.290Z","dependency_job_id":null,"html_url":"https://github.com/auth0/passport-windowsauth","commit_stats":{"total_commits":64,"total_committers":16,"mean_commits":4.0,"dds":0.28125,"last_synced_commit":"d2163bf011da13c5a3e1b8c937391b2fe46a0a01"},"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/auth0%2Fpassport-windowsauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/auth0%2Fpassport-windowsauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/auth0%2Fpassport-windowsauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/auth0%2Fpassport-windowsauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/auth0","download_url":"https://codeload.github.com/auth0/passport-windowsauth/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247249526,"owners_count":20908212,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-09-24T20:53:18.465Z","updated_at":"2025-04-04T21:08:43.792Z","avatar_url":"https://github.com/auth0.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"Windows Authentication strategy for Passport.js.\n\n## Install\n\n npm install passport-windowsauth\n\n## Introduction\n\nThis module authenticate user with a LDAP directory. It works in two modes **Integrated Authentication** (often refer as NTLM) or **Form Authentication**.\n\n## Integrated Authentication (IIS)\n\nIn this mode, this strategy reads an special server variable from IIS (more info about this [here](https://github.com/tjanczuk/iisnode/issues/87)) and then generate a profile. You can **optionally** pass LDAP credentials to fetch the profile from Active Directory.\n\n**In your IIS application authentication settings, disable Anonymous and enable Windows Authentication.**\n\nConfigure iisnode to pass the special variable ```LOGON_USER``` from IIS to node\n\n~~~xml\n\u003cconfiguration\u003e\n \u003csystem.webServer\u003e\n \u003c!-- ... --\u003e\n \u003ciisnode promoteServerVars=\"LOGON_USER\" /\u003e\n \u003c/system.webServer\u003e\n\u003c/configuration\u003e\n~~~\n\nIf you want to use it with LDAP:\n\n~~~javascript\nvar passport = require('passport');\nvar WindowsStrategy = require('passport-windowsauth');\n\npassport.use(new WindowsStrategy({\n ldap: {\n url: 'ldap://wellscordoba.wellscordobabank.com/DC=wellscordobabank,DC=com',\n base: 'DC=wellscordobabank,DC=com',\n bindDN: 'someAccount',\n bindCredentials: 'andItsPass'\n }\n}, function(profile, done){\n User.findOrCreate({ waId: profile.id }, function (err, user) {\n done(err, user);\n });\n}));\n~~~\n\nIf you want to use without LDAP:\n\n~~~javascript\nvar passport = require('passport');\nvar WindowsStrategy = require('passport-windowsauth');\n\npassport.use(function(profile, done){\n User.findOrCreate({ waId: profile.id }, function (err, user) {\n done(err, user);\n });\n});\n~~~\n\nNOTE: in this case profile only has ```displayName``` and ```id```, both containing just the logon name.\n\nThen use the strategy in a route as follows:\n\n~~~javascript\napp.get('/express-passport',\n passport.authenticate('WindowsAuthentication'),\n function (req, res){\n res.json(req.user);\n });\n~~~\n\n## Integrated Authentication with Apache and mod_auth_kerb\n\nYou can take advantage of [mod_auth_kerb](http://modauthkerb.sourceforge.net/) in linux by using apache as a reverse proxy to your node application. The configuration is not a _walk in the park_ but after you have everything configured it just works.\n\n####1-Generate a keytab in windows\n\n~~~\nktpass\n-princ service/server.CONTOSO.COM@CONTOSO.COM\n-mapuser user@CONTOSO.COM\n-crypto RC4-HMAC-NT\n-ptype KRB5_NT_PRINCIPAL\n-pass passssswwword\n-out FILE.keytab\n~~~\n\n####2-Check your /etc/krb5.conf\n\n~~~\nkinit user@CONTOSO.COM\n~~~\n\nYou should be able to login from the linux machine.\n\n####3-Check your keytab is okay\n\n~~~\nkinit -V -kt FILE.keytab service/server.CONTOSO.COM@CONTOSO.COM\n~~~\n\n####4-Install apache with the modules\n\nThe modules you need are `mod-auth-kerb`, `proxy`, `proxy_http`, `headers`, `rewrite`.\n\n####5-Configure your apache\n\n~~~\n\u003cVirtualHost *:8001\u003e\n ServerAdmin webmaster@localhost\n\n ProxyPassInterpolateEnv On\n ProxyPass / http://localhost:3000/ # this is the node.js app\n ProxyPassReverse / http://localhost:3000/ # this is the node.js app\n RewriteEngine On\n RewriteCond %{LA-U:REMOTE_USER} (.+)\n RewriteRule . - [E=RU:%1]\n RequestHeader set X-Forwarded-User %{RU}e\n\n \u003cProxy *\u003e\n Order deny,allow\n Allow from all\n \u003c/Proxy\u003e\n\n \u003cLocation /\u003e\n AuthName \"Kerberos Login\"\n AuthType Kerberos\n Krb5Keytab /path/to/your/FILE.keytab # VERY IMPORTANT\n KrbAuthRealm CONTOSO.COM\n KrbMethodNegotiate on\n KrbSaveCredentials off\n KrbVerifyKDC off\n KrbServiceName SERVICE/server.CONTOSO.COM\n Require valid-user\n \u003c/Location\u003e\n\n ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/\n \u003cDirectory \"/usr/lib/cgi-bin\"\u003e\n AllowOverride None\n Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch\n Order allow,deny\n Allow from all\n \u003c/Directory\u003e\n\n ErrorLog ${APACHE_LOG_DIR}/error.log\n\n CustomLog ${APACHE_LOG_DIR}/access.log combined\n\u003c/VirtualHost\u003e\n~~~\n\n####6-Configure Passport.js\n\n~~~javascript\nvar passport = require('passport');\nvar WindowsStrategy = require('passport-windowsauth');\n\npassport.use(new WindowsStrategy({\n ldap: {\n url: 'ldap://wellscordoba.wellscordobabank.com/DC=wellscordobabank,DC=com',\n base: 'DC=wellscordobabank,DC=com',\n bindDN: 'someAccount',\n bindCredentials: 'andItsPass'\n },\n getUserNameFromHeader: function (req) {\n //in the above apache config we set the x-forwarded-user header.\n //mod_auth_kerb uses user@domain\n return req.headers['x-forwarded-user'].split('@')[0];\n }\n}, function(profile, done){\n User.findOrCreate({ waId: profile.id }, function (err, user) {\n done(err, user);\n });\n}));\n~~~\n\n\n## Non-integrated authentication\n\nYou can use this module to authenticate users against a LDAP server without integrated authentication.\nYou will prompt the user for his username and password in a form like this:\n\n~~~html\n\u003cform action=\"/login\" method=\"post\"\u003e\n \u003cdiv\u003e\n \u003clabel\u003eUsername:\u003c/label\u003e\n \u003cinput type=\"text\" name=\"username\"/\u003e\n \u003c/div\u003e\n \u003cdiv\u003e\n \u003clabel\u003ePassword:\u003c/label\u003e\n \u003cinput type=\"password\" name=\"password\"/\u003e\n \u003c/div\u003e\n \u003cdiv\u003e\n \u003cinput type=\"submit\" value=\"Log In\"/\u003e\n \u003c/div\u003e\n\u003c/form\u003e\n~~~\n\nand then have a route like this:\n\n~~~javascript\napp.post('/login',\n passport.authenticate('WindowsAuthentication', {\n successRedirect: '/',\n failureRedirect: '/login',\n failureFlash: true })\n);\n~~~\n\nThe same configuration as explained above is required with the ```integrated``` option in false:\n\n~~~javascript\nvar passport = require('passport');\nvar WindowsStrategy = require('passport-windowsauth');\n\npassport.use(new WindowsStrategy({\n ldap: {\n url: 'ldap://wellscordoba.wellscordobabank.com/DC=wellscordobabank,DC=com',\n base: 'DC=wellscordobabank,DC=com',\n bindDN: 'someAccount',\n bindCredentials: 'andItsPass'\n },\n integrated: false\n}, function(profile, done){\n User.findOrCreate({ waId: profile.id }, function (err, user) {\n done(err, user);\n });\n}));\n~~~\n\n## Example profile from LDAP\n\nWhen you use the LDAP integration the profile follows the [Passport.js user profile convention](http://passportjs.org/guide/profile/) and you have also a _json property with all the profile.\n\nExample:\n\n~~~json\n{\n \"id\": \"fe59e96-4d82-431e-816a-5a688e4ab547\",\n \"displayName\": \"Jose Romaniello\",\n \"name\": {\n \"familyName\": \"Romaniello\",\n \"givenName\": \"Jose\"\n },\n \"emails\": [\n {\n \"value\": \"jromaniello@wellscordoba.com\"\n }\n ],\n \"_json\": {\n \"dn\": \"CN=Jose Romaniello,CN=Users,DC=wellscordobabank,DC=com\",\n \"controls\": [],\n \"objectClass\": [\n \"top\",\n \"person\",\n \"organizationalPerson\",\n \"user\"\n ],\n \"cn\": \"Jose Romaniello\",\n \"sn\": \"Romaniello\",\n \"title\": \"cantante desafinado - programador\",\n \"physicalDeliveryOfficeName\": \"Chief Architect\",\n \"telephoneNumber\": \"+543519998822\",\n \"givenName\": \"Jose\",\n \"distinguishedName\": \"CN=Jose Romaniello,CN=Users,DC=wellscordobabank,DC=com\",\n \"instanceType\": \"4\",\n \"whenCreated\": \"20130220172116.0Z\",\n \"whenChanged\": \"20130220183149.0Z\",\n \"displayName\": \"Jose Romaniello\",\n \"uSNCreated\": \"12717\",\n \"uSNChanged\": \"12792\",\n \"company\": \"Wells Cordoba Bank\",\n \"name\": \"Jose Romaniello\",\n \"objectGUID\": \"fe59e96-4d82-431e-816a-5a688e4ab547\",\n \"userAccountControl\": \"66048\",\n \"badPwdCount\": \"0\",\n \"codePage\": \"0\",\n \"countryCode\": \"0\",\n \"badPasswordTime\": \"0\",\n \"lastLogoff\": \"0\",\n \"lastLogon\": \"0\",\n \"pwdLastSet\": \"130058544776047558\",\n \"primaryGroupID\": \"513\",\n \"objectSid\": \"\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0005\\u0015\\u0000\\u0000\\u0000��=��\\u001d��uQ��O\\u0004\\u0000\\u0000\",\n \"accountExpires\": \"9223372036854775807\",\n \"logonCount\": \"0\",\n \"sAMAccountName\": \"jromaniello\",\n \"sAMAccountType\": \"805306368\",\n \"userPrincipalName\": \"jromaniello@wellscordobabank.com\",\n \"objectCategory\": \"CN=Person,CN=Schema,CN=Configuration,DC=wellscordobabank,DC=com\",\n \"dSCorePropagationData\": [\n \"20130220172118.0Z\",\n \"16010101000000.0Z\"\n ],\n \"lastLogonTimestamp\": \"130058572786126285\",\n \"mail\": \"jromaniello@wellscordobabank.com\"\n }\n}\n~~~\n\n## Issue Reporting\n\nIf you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.\n\n## Author\n\n[Auth0](auth0.com)\n\n## License\n\nThis project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauth0%2Fpassport-windowsauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fauth0%2Fpassport-windowsauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauth0%2Fpassport-windowsauth/lists"}