SID-00003: Never Prompted for Login

Status:	Answered	TWiki version:	4.1.0	Perl version:	5.008005
Category:	CategoryAuthentication	Server OS:	Linux 2.6.9-67.ELsmp #1 SMP	Last update:	17 years ago

Whenever a user should be prompted to Log in no prompt is given and instead an error page is displayed with Access Denied. The message says: "Access check on {Current Web} failed. Action "{attach,edit, viewauth, rename, (basically anything listed in AuthScripts)}": authentication required. This wasn't always happening and users were at one point able to log in. I've been changing the httpd.conf to require a login for other parts of the server and I'm not sure why that would cause this to happen. I've been using ApacheLogin for the Twiki Authentication.

I have

<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
require valid-user
</FilesMatch>

in my twiki.conf file but it doesn't seem to do anything anymore. I tried using .htaccess in the bin folder with the same information but nothing really happened there either.

What causes an access check to fail? If the check doesn't fail the password prompt would probably be displayed.

Installed Plugins: SpreadSheet Comment EditTable Interwiki Preferences SlideShow Smilies Table Twisty

-- TWikiGuest - 30 Dec 2008

Progress

I have discovered that the reason why i wasn't given a logon prompt was due to my config of the httpd.conf file. I was locking the entire site down with

<Directory \>
...
AuthName "login Required"
{Password settings}
Satisfy any
...
Deny from all
Allow from {internal IP}
</Directory>

When browsing from the internal IP the password prompt wasn't given, I assume due do to the directory "satisfy any"and when from an external ip the password prompt wasn't needed because the Twiki treated the main login as the same.

I have no issue with linking the overall site login with the twiki users for external address. What i do need to know is how i can get a prompt for internal ip address when a user with an internal address wants to logon for editing and the like.

---

I keep playing with the configuration trying to get an apache login for the IP address that forwards to our server (all external users have that address) while at the same time not requiring a login to view for internal IP addresses but prompting to login when we need to track change. The best i've gotten uses "satisfy any" in <directory /> but when that is used internal IP users cannot logon to the twiki. No prompt is given and the error message stating that authentication is required is displayed.

Is there another conditional that can be used to allow viewing without login for partial IPs and requiring authentication for a specfic ip?

---

I figured out that i needed to add to the <FilesMatch> directive for twiki scripts in order to require local accounts authenticate.

Adding:

<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
 satisfy all
 require valid-user
 allow from {external IP}
</FilesMatch>

did the trick. However when connecting to from the external IP editing and adding to the twiki is not possible. the error "this page cannot be found" is given when trying to create or edit a topic as well as after confirming a change to the user such as email address.

Has there been an issue like this?

---

I noticed that if on clicking edit that the url is given a parameter "?t={somenumbers}" if I remove this from the url the edit script is displayed properly and i can save changes. Why would the parameters cause a "the page cannot be found error"?

Nothing seems to work when trying to view an attachement. I always get "the page cannot be found".

InternetAndIntranetAccessAndHtaccess seems to discuss a situation that is simalier to mine. I'm not sure if it completly applies. Was there ever a how to for TWikis on servers on NAT'd networks?

---

Final problem was caused by the fact that I was testing on an old version of IE and needed the "BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On"

line added to my apache conf file. Everything seems to work now.

-- TWikiGuest - 16 Jan 2009

Answer

I am glad it worked out. Next time, it might be it is easier to generate the Apache config file, see ApacheConfigGenerator.

-- PeterThoeny - 18 Jan 2009

      Change status to: Asked question Answered question Closed unanswered