How to configure Apache/IIS to integrate with CQ5 SSO


In order to enable SSO authentication with CQ5, typically a 3rd party authority is required which pre-authenticates a user before a request is passed through to CQ5. How can this be achieved with IIS or Apache 2.x?


Answer, Resolution

As a prerequisite, SSO needs to be enabled on both CQ5 and CRX as well. Please refer to this kb-article how to set this up.

This article will describe how to integrate Windows NTLM authentication through Apache and IIS with CQ5 to enable SSO access to a CQ5 authoring instance. It is assumes that a working setup of the Dispatcher connected to CQ5 instance is in place.



Microsoft IIS already provides built-in support for NTLM authentication which can be enabled through configuration:

  • activate Integrated Windows authentication in the Directory Security tab of IIS for the CQ instance served by this IIS server
  • enable server-variables to be passed along with the request as headers
  • make sure your web site is listed in the Intranet zone in IE's security settings

To enable server variables, edit the disp_iis.ini file and set servervariables to 1. This link provides a list of variables available in IIS.
Typical headers are REMOTE_USER or LOGON_USER. Please make sure that the value for the user-ID matches the IDs of users in CQ.



Apache requires an additional module to enable NTLM authentication called mod_auth_sspi. The ID of the current Windows user can then be extracted from Apache"s REMOTE_USER environment variable which is sent as request header.

Example configuration of httpd.conf:

LoadModule sspi_auth_module modules/

<VirtualHost *:80>
  DocumentRoot "C:/Apache2.2/htdocs"
  ServerName localhost
  ErrorLog "logs/error.log"
  KeepAlive On

    <Location />
      SetHandler dispatcher-handler
      AuthName "A Protected Place"
      AuthType SSPI
      SSPIAuth On
      SSPIUsernameCase lower
      require valid-user



Note : the mod_auth_sspi Apache module only works with the Windows version of Apache 2.x.

For Linux installations, possible solutions are either mod_ntlm , or mod_headers .


Applies to

CQ 5.x