PHP vs ASP with NTLM style Authentication Help!

big_nerd

Hello all, I've noticed an anomaly,

I am running IIS w/ Windows 2000 Server.

When I disable Anonymous Access (and enable Integrated Windows Auth) in order to pull the DOMAIN\username from the clients (intranet) it works GREAT in ASP.. using:

resp1 = Request.ServerVariables("LOGON_USER") 
    ' or 
resp2 = Request.ServerVariables("AUTH_USER") 

Response.Write resp1
Response.Write "<br>"
Response.Write resp2
Response.Write "<br>"
%>

This works fabulous, When I attempt to do it in PHP...

echo $_SERVER['AUTH_USER'];
echo $_SERVER['LOGON_USER'];

It will work, ONLY if I ran the ASP script first! If I do not, it requests a username and password, and will only authenticate if that is a valid user on the system!

I am on a different domain as the webserver, I have yet to test with a client on the same domain, but I do not see how it would matter.

The only ASP is self contained and I can't and won't re-write everything in ASP.

What options do I have, the boss's are pretty definate about not having a seperate login/pass system, but want authentication.

I was thinking of checking for a cookie (which I do not want), with the username & domain, if it doesnt exist, pass off to the ASP script (with a parameter of the page that the person was attempting to access) that will check the user/domain and pass back to the rest of the site.

If anyone knows of an easier way, or has had this problem before, please let me know..

Running:
PHP 5.2.0 w/ IIS 5 w/ .NET 2.0

Thanks in advance....

NogDog

From http://devzone.zend.com/manual/view/page/features.http-auth.html :

<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
} else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>

big_nerd

NogDog,

My Mistake, I don't want to have the login/pass. I've discovered something else as well.

When I use a windows domain alias, i.e. http://php/ to point to the machine, it works fine (with asp forsure, unsure about php atm).

When I use a web style domain, http://www.myintra.net/site/ which also points to that box, it requests a username and password!

I have a fully operable login system using PHP_AUTH_USER or SESSIONS, or COOKIES (something else I'm working on), however this is an attempt for the intranet users to be capable of viewing the site without having to log in.

When I view the same .asp file (test-auth.asp) with the http://php/test-ath.php, it works, spits out the DOMAIN\user .. however,

When I use the internet style domain, I get this.. HTTP 401.2 - Unauthorized: Logon failed due to server configuration
Internet Information Services.

Then it mentions I need to modify the header information as to what type of authentication. This may be where my problem lies, but I am unsure what I would put in the header for it to merely 'get' the domain\username. (from ntlm)

big.nerd