Nt Authentication

chads2k2

Why does it seem I always think up the craziest things to do with PHP? Well here is another one! I haven't even installed PHP/Apache/MySQL yet, so any modules or anything else that needs to be included is no problem! I will include in the install. I am going to be using on a Windows XP box as well. Not by choice but it needs to be like that. 🙂 Ok so here is what I am trying to do. I want to have a form (easy) that they put in their username and password. Then what the script will do is go to Windows NT Authentication and see if their usrename and password matches the NT Authentication tables. I can have direct access to the domain controllers if need be. I am a high level admin/programmer. This is in a very secure Intranet where any outside access to this system is forbidden. Any ideas of how to go about this? There is a script I saw on HotScripts but I don't think it works right. Let me know. Thanks in advance!

Chad R. Smith

AstroTeg

I would think you could check out the MS APIs available for mingling with domain controllers and build a COM object PHP could play with.

Or a quick and dirty approach might be to have PHP shell out to DOS and execute the "net use" command with the user name and password supplied. Have "net use" connect to a share the user is supposed to have access to. If you can connect, then the user is "authenticated". Although, in my opinion, this is a lot of work for testing authentication and there should be an easier more direct approach (such as going with COM).

The safest way to have an intranet server on the network is to disable all access to the server from external IP addresses. That would be much safer and easier to do and the administering would be at the web server level versus the coding level.

Sgarissta

The easiest way to accomplish it would be to use LDAP. You can make LDAP queries against an AD Domain controller very easily. The only "gotcha" that i've run into, is that you will need to create a service account to run the query, as the anonymous bind in AD has no access.

chads2k2

Sgarissta, how would you do that? Can you give me a code example of it? I work for the govt and my floor's VLAN is the only one who will have access to this webserver. So I am safe there.

Chad

Sgarissta

[man]ldap[/man]

But really all you do is...
Note the following code is just a mockup...not really secure but just used for explanatory purposes...

$conn = ldap_connect('domain.controller');
$bound = ldap_bind($conn,$_POST['username'], $_POST['password']);
if($bound == true){
   //set session variable or whatever marking them as logged in.
}
else {
   //do whatever if they aren't authenticated
}

The above code SHOULD work, but it really depends on how your AD is setup.

chads2k2

I was reading an article about the same thing there. You are right on. I will try this stuff tomorrow when I get into work! I am excited now to go back into work. God that is pathetic.

Chad