NT Authentication in PHP on IIS/Apache

quadmyre

I'm currently pondering development of a new project. I would prefer to use Apache with PHP5 running on Win32, as a last resort I may consider IIS.

One of the requirements I've laid down is that I want to be able to authenticate visitors using an NT domain (currently NT4 but will be upgraded to AD in future). I would like to be able to do this automagically (ie no pop-up prompt just use the currently logged in username / pass to authenticate) which I believe is possible with IIS and correct settings of IE security zones.

Not only do I want to authenticate users for access, however, I also want to be able to determine within my script the user's login name and whether or not the user is a member of a given global group.

I would like to be able to do all of this as reliably and with as little overhead / bodges as possible.

Has anyone already done this successfully and if so how?

Many thanks in advance...

quadmyre

Wow - am I to believe that noone out there has already tried this? Does noone use PHP for intranet sites?

remnant

I use IIS and this is possible. I'm sure it's possible via Apache but I can't really help you with that.

You're right, under IE there's a setting which allows the use of the current username and password. I'd advise against this, but I'm basing that on my experience and needs. Once the user has logged in, you can use $_SERVER['PHP_AUTH_USER'] to get their username. You may need to disallow annonymous access on the site path under IIS Management Console for this to work, but I'm not sure. I say this because I prompt for the credentials and I have to disallow annoymous access for that to occur.

Unfortunately, there's no way, that I know of, for you to pull information about a given user without having a directory service such as Active Directory. Before we went to AD, I had a MySQL database of employees which was comprehensive enough to use, but not nearly as useful as AD. Once you migrate, you'll be able to use LDAP to get information on users logged in directly from AD.

HTH

chads2k2

Here is how you use NT Authentication with LDAP servers. This is coming from a Windows Server 2003 and tried on a Windows Server 2000 LDAP server.

The host is a Windows XP, Apache, PHP 4.3.9 Machine. Also tried on a Windows Server 2003, IIS 6, PHP 4.3.9 Machine. Somethings were taken out for security reasons. Sorry.

Hope this helps!

Chad


//
// This page is index.php
//

<?php
session_start();

if(isset($login)){
  $username = trim($username);
  $password = trim($password);
  if((strlen(trim($username)) != 0) && (strlen(trim($password)) != 0))
  {
	include_once("includes/ldap.connection.inc.php");

  // Run the CheckNT function.
  $checked = CheckNT($username,$password);
  // Get the results.  If it is in the LDAP server it returns 1.  If not then 0.
		if($checked == 1)
		{
         include_once("includes/db.connection.inc.php");
         $sql = "SELECT * FROM smithch.users WHERE user_name='$username'";
         $result = mssql_query ($sql, $db);
         $row = mssql_num_rows ($result);
         if($row < 1)
         {
             echo "Sorry you are authenticated but not part of our database system.  Sorry.<br>";
         }
         while ($row = mssql_fetch_array($result))
         {
            $user_id = $row['user_id'];
            $user_priv = $row['user_priv'];
            $user_divnum = $row['user_divnum'];
            $user_style = $row['user_style'];

            $_SESSION['GLOBAL_ID'] = "$user_id";
            $_SESSION['GLOBAL_NAME'] = "$username";
            $_SESSION['GLOBAL_PRIV'] = "$user_priv";
            $_SESSION['GLOBAL_DIVNUM'] = "$user_divnum";
            $_SESSION['GLOBAL_STYLE'] = "$user_style";

            $today = date("F j, Y, g:i a");
            $update_users = "UPDATE smithch.users SET user_lastlogin='$today' WHERE (user_id = '$user_id')";
            mssql_query($update_users);

            echo "<meta http-equiv='refresh' content='0; URL=dbsystem.index.php'>";
            exit();
         }
         mssql_close($db);
		}else{
         echo "Your credentials failed.  Check your password and try again.  Also no NRDNR\\\ is nesscary.<br>";
  }
   }else{
      echo "All fields <strong>MUST</strong> be filled in. Thanks!";
   }
}
?>


//
// This page is ldap.connection.inc.php
//

<?php
error_reporting(E_ERROR | E_PARSE);

// Functions

function CheckNT($username,$password)
{
  // Forms the USERNAME as NRDNR\\
	   $domain_username  = "NRDNR\\" . $username;

  // Connects to our LDAP server.
     $ldapconn=ldap_connect("valid_ip_of_server") or die("The connection failed.");

// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $domain_username, $password);

   // verify binding
   	if ($ldapbind) {
       	return 1;
   	} else {
       	return 0;
   	}
	ldap_close($ds);
}
?>

quadmyre

Thanks for the ideas guys!