IIS7 + PHP5.2 + (Optional) NTLM?

rpanning

We have our Web server running IIS7 and PHP 5.2 on our internal ActiveDirectory domain. What I'd like to get setup is NTLM username to be passed to PHP, if there is one.

So that, if a user is logged into a workstation on our AD domain, their username is passed to IIS > PHP so that I know who is already logged in, for SSO. However, if they are not on the domain (eg. viewing from the outside, Web) that nothing is passed to IIS > PHP and there is no login prompt for the user. Is this possible? Thanks

bradgrafelman

The short answer is: it's possible (I think). Using IIS only, however, it won't work. You can either use integrated Windows authentication OR enabled anonymous access.

What you'd probably have to do is determine if the IP address accessing the script is within the range used on your LAN and, if so, initiate the NTLM handshake yourself (this part I'm not sure how to do using PHP). For the script itself in IIS, you'd leave anonymous access enabled so that everyone can at least access the script.

So, if you can figure out how to perform NTLM authentication using PHP, then yes, it's possible.

rpanning

bradgrafelman;10914171 wrote:
The short answer is: it's possible (I think). Using IIS only, however, it won't work. You can either use integrated Windows authentication OR enabled anonymous access.

What you'd probably have to do is determine if the IP address accessing the script is within the range used on your LAN and, if so, initiate the NTLM handshake yourself (this part I'm not sure how to do using PHP). For the script itself in IIS, you'd leave anonymous access enabled so that everyone can at least access the script.

So, if you can figure out how to perform NTLM authentication using PHP, then yes, it's possible.

Hum, interesting. So I'll leave both Anonymous Access and Windows Authentication both enabled. It seems that it defaults to anonymous. In PHP I'll detect if it's internal, not a prob there, then send 401 Unauthorized and WWW-Authenticate: NTLM header. Then the client should NTLM with IIS.?. I'll give this a try at work tomorrow. Thanks, I'll let you know how it goes.

bradgrafelman

rpanning wrote:
Then the client should NTLM with IIS.?

That's what I had hoped, but no; I tried this on an IIS6 server (and I see no reason why IIS7 should behave differently in this situation) but it didn't work. What I think happens is that when you issue the header() for the NTLM header, the client does indeed send the proper authentication handshake but IIS has already passed control of the response on to the PHP interpreter, so it's up to your PHP code to look for the browser's authentication header and do the appropriate processing.

That's just what it looked like from my end.

rpanning

bradgrafelman;10914184 wrote:
That's what I had hoped, but no; I tried this on an IIS6 server (and I see no reason why IIS7 should behave differently in this situation)...

Guess what, it did work from my end. 😃 I know IIS7 was a big change with how PHP sits in the pipeline. Maybe that ends up properly processing the headers.

So what I have going is both Anonymous Authentication and Windows Authentication enabled. Then in my PHP script I have the following:

if (!isset($_SERVER["REMOTE_USER"]) || $_SERVER["REMOTE_USER"] == '') {
    header('HTTP/1.1 401 Unauthorized');
    header('WWW-Authenticate: Negotiate');
    header('WWW-Authenticate: NTLM', false);
    exit;
}
phpinfo();

Of course I need to add in the detection if the computer is a domain workstation or not. But so far it works. The only thing is that IE is prompting for a login (even though I added it to the Trusted Sites). Firefox is working fine, after I added the site to network.automatic-ntlm-auth.trusted-uris.

bradgrafelman

I feel like an idiot; I forgot the 'false' on the second header call - it probably works in IIS6 as well.

Albertos1

Thanks for this thread. I am also doing it right now. I am also using php 5.2.

I wish I could make it happen.

Simulation pret