To register for an Internet.com membership to receive newsletters and white papers, use the Register button ABOVE.
To participate in the message forums BELOW, click here
We have our Web server running IIS7 and PHP 5.2 on our internal ActiveDirectory domain. What I'd like to get setup is NTLM username to be passed to PHP, if there is one.
So that, if a user is logged into a workstation on our AD domain, their username is passed to IIS > PHP so that I know who is already logged in, for SSO. However, if they are not on the domain (eg. viewing from the outside, Web) that nothing is passed to IIS > PHP and there is no login prompt for the user. Is this possible? Thanks
__________________
Are you a mountain biker and live in Minnesota? Join MORC to help support our trials!
The short answer is: it's possible (I think). Using IIS only, however, it won't work. You can either use integrated Windows authentication OR enabled anonymous access.
What you'd probably have to do is determine if the IP address accessing the script is within the range used on your LAN and, if so, initiate the NTLM handshake yourself (this part I'm not sure how to do using PHP). For the script itself in IIS, you'd leave anonymous access enabled so that everyone can at least access the script.
So, if you can figure out how to perform NTLM authentication using PHP, then yes, it's possible.
__________________
***If your problem has been solved, PLEASE click the RESOLVED LINK under "Thread Tools"***
"Well Bones, do the new medical facilities meet with your approval?" -- Kirk
"They do not. It's like working in a damn computer center" -- McCoy (Star Trek: TMP)
The short answer is: it's possible (I think). Using IIS only, however, it won't work. You can either use integrated Windows authentication OR enabled anonymous access.
What you'd probably have to do is determine if the IP address accessing the script is within the range used on your LAN and, if so, initiate the NTLM handshake yourself (this part I'm not sure how to do using PHP). For the script itself in IIS, you'd leave anonymous access enabled so that everyone can at least access the script.
So, if you can figure out how to perform NTLM authentication using PHP, then yes, it's possible.
Hum, interesting. So I'll leave both Anonymous Access and Windows Authentication both enabled. It seems that it defaults to anonymous. In PHP I'll detect if it's internal, not a prob there, then send 401 Unauthorized and WWW-Authenticate: NTLM header. Then the client should NTLM with IIS.?. I'll give this a try at work tomorrow. Thanks, I'll let you know how it goes.
__________________
Are you a mountain biker and live in Minnesota? Join MORC to help support our trials!
That's what I had hoped, but no; I tried this on an IIS6 server (and I see no reason why IIS7 should behave differently in this situation) but it didn't work. What I think happens is that when you issue the header() for the NTLM header, the client does indeed send the proper authentication handshake but IIS has already passed control of the response on to the PHP interpreter, so it's up to your PHP code to look for the browser's authentication header and do the appropriate processing.
That's just what it looked like from my end.
__________________
***If your problem has been solved, PLEASE click the RESOLVED LINK under "Thread Tools"***
"Well Bones, do the new medical facilities meet with your approval?" -- Kirk
"They do not. It's like working in a damn computer center" -- McCoy (Star Trek: TMP)
That's what I had hoped, but no; I tried this on an IIS6 server (and I see no reason why IIS7 should behave differently in this situation)...
Guess what, it did work from my end. I know IIS7 was a big change with how PHP sits in the pipeline. Maybe that ends up properly processing the headers.
So what I have going is both Anonymous Authentication and Windows Authentication enabled. Then in my PHP script I have the following:
Of course I need to add in the detection if the computer is a domain workstation or not. But so far it works. The only thing is that IE is prompting for a login (even though I added it to the Trusted Sites). Firefox is working fine, after I added the site to network.automatic-ntlm-auth.trusted-uris.
__________________
Are you a mountain biker and live in Minnesota? Join MORC to help support our trials!
I feel like an idiot; I forgot the 'false' on the second header call - it probably works in IIS6 as well.
__________________
***If your problem has been solved, PLEASE click the RESOLVED LINK under "Thread Tools"***
"Well Bones, do the new medical facilities meet with your approval?" -- Kirk
"They do not. It's like working in a damn computer center" -- McCoy (Star Trek: TMP)
I know IIS7 was a big change with how PHP sits in the pipeline. Maybe that ends up properly processing the headers.
Linear Mode
