Basic Auth between 2 servers?

Anon

Hi,

I have 2 servers, one with my front end in apache,linux,php and the other as NT/IIS with a bunch of static htm reports that are locked down with permissions. I want to have the users login on the front end and then have there user name and password passed to the second server when they click on links to the reports on the NT server. How do I do this? Is it possible?

Will I have to have the users not only login to the frontend but when they click on report have to reenter username/password to gain authorization?

smarlowe

The only way to do this in a semi-secure manner is to have apache use mod rewrite to act as the front end for everything and never pass the user off to the NT server directly, or to map a drive to the NT server that holds the data.

If you can map a drive to the NT server, that would be the easiest way.

If you've got a lot of fine grained permissions that have to be served through IIS, then you can pass people off with something like this:

$auth = $PHP_AUTH_USER . ":" . $PHP_AUTH_PW;
print "http://$auth@yourserver.com?somefile.html";

Not at all secure, but it should work

Anon

$auth = $PHP_AUTH_USER . ":" . $PHP_AUTH_PW;
print "http://$auth@yourserver.com?somefile.html";

Any other ideas or where can i look to learn more about this - naturally im trying this and the window is still coming up and not prefilling or anything.

smarlowe

OK, what you're trying to build is an URL like this:

http://name:password@server.domain.com

That should pass your user's name and password to the other server. If the other server is setup to use canonical names, it will "swallow" the name:password pair and the user will just see

http://server.domain.com

If canonical names are off, then their name:password pair will show.

You can build a simple redirect page to send them to that will chop off the name:password if it is still showing in the URL after handing off the user to the NT server.

So, you may need to build your string like this:

$url = "http://".$auth."@server.domain.com";