MOD EDIT: Post moved into its own thread; see original thread here: Integrating PHP app with Active Directory for single-sign-on (SSO) functionality

Hi there! After lots of googling I finally found this thread which finally relates to what I'm trying to investigate.

I'm new to this SSO stuff so forgive me if I sound dumb haha Your cases are within an intranet correct? Can this same concept of windows login SSO be applied to an external Linux based Apache/PHP/mysql web server?

In my searching I found something called NTLM and something about maybe having to install a couple third party things on the web server...other than that I have no idea and can't find anything to suggest it is/isn't possible.

To be a bit more specific we have CMS and one prospective client is looking for a SSO solution so once they login to windows they wont have to login to anything else. We've never done intranets before...so I'm lost haha....

Not sure whether you were directing your questions at myself or the OP of the original thread, but seeing as how that thread is ~2.5 years old, I'm guessing the OP might not be around to answer. As such, I've moved your post into its own thread and included a link to the original thread for context.

Also, welcome to PHPBuilder! Now on to your questions/issues...

bigmartin79;10996988 wrote:

Your cases are within an intranet correct?

Correct, because that's really the only place it makes sense to talk about Active Directory and Windows logon-based SSO.

bigmartin79;10996988 wrote:

Can this same concept of windows login SSO be applied to an external Linux based Apache/PHP/mysql web server?

Web servers running on the Linux platform can still communicate to a Windows server in order to perform NTLM authentication, yes. However, see my response below...

bigmartin79;10996988 wrote:

To be a bit more specific we have CMS and one prospective client is looking for a SSO solution so once they login to windows they wont have to login to anything else.

What do you mean "login to windows" ? If they aren't on the same LAN as the webserver, are they at least within the same Active Directory domain (or forest)?

In other words, I've got a username to login to computers here at work (let's call it "brad"). If I connected to your external-facing Linux server, it wouldn't make sense to use Windows logon-based SSO, because the "brad" network account doesn't mean anything to your servers.

Furthermore, what you're looking to do isn't very feasible for another reason; most browsers (and I say "most" only because "all" is a very strong word...) that support NTLM authentication will only do so if the server is considered to be within a "local" zone, e.g. on the same subnet or private network. It's considered a security risk to expose NTLM authentication responses to the entire world over the Internet, thus even if it made sense for you to do this, you'd have to expect every user to configure their browsers such that they would honor your server's NTLM authentication request.

Wow thank you for responding quickly!

haha I must sound ridiculous but by "login to windows" I mean they login onto the windows network as you gave an example of and the web server would be a public server that has a hardware firewall to block all traffic outside of their/our IPs...which the idea in this case is trying to fake an intranet so we have full control of our own server and whatnot instead of our CMS running on a customer's in house intranet.

Seems like I'm trying to fit a square into a circle, but mainly trying to confirm one way or the other if it's possible at all for at least a website to know the username or whatever but as per your comments I think it's safe to say it's not doable in the context I'm going for.

I'm leaning towards suggesting a login form where users type in their windows network credentials then have an LDAP user authentication process validate them...there wouldn't be any SSO from their windows network to the external website but at least it'd be the same login info. LDAP is good for that right?