Pass NT Username to PHP?

atomdawg

We need to capture the username from an NT4 workstation that has already authenticated to the domain, and assign it to a PHP variable. We don't even need the password, just the username. Gee, it sounded simple enough when we started... 😉

Our web server is running PHP 4.0.4pl1 and Apache 1.3.17 on FreeBSD 4.2.

We have already investigated various ways of using $REMOTE_USER, $PHP_AUTH_USER, mod_ntlm, and mod_auth_ntdom. No dice. It's not like we just did a casual perusal of the README, either...we've actually tried hacking mod_htlm to get what we need, but it's not happening.

Has anybody actually been able to grab the username from an NT machine?

Anon

Andy, REMOTE_USER has worked for me in the past. Are you sure you've been challenged by the browser (401 access denied)? It won't be filled in unless you were challenged on that server.

Also, you can try ALL_HTTP or ALL_RAW to get all raw headers and then un-base64 the basic authorization string. That's kind of a brute force kludge though.

Cheers Dave

===========================================
http://badblue.com

Small footprint Win32 web server for PHP and P2P

atomdawg

Yep. The Apache access log gives me a 401 every time, but the value of REMOTE_USER is always null. The only time it seems to get filled in is when I actually go ahead and log in to the web server using Basic authentication. Of course, that's what I'm trying to avoid doing in the first place. 8(

How are you forcing the challenge? Maybe I'm just doing something wrong/stupid/both.

Thanks,
Andy

ame12

Andy, the NT way to force a challenge is to simply use file/folder permissions to not allow anonymous access (require basic authentication, which you can set via MMC).

However, this assumes you are using IIS and not Apache.

If you are using Apache and wish to use NT ACL's (access control lists, which protect folders and files), you will need to use some extra stuff. I think this library does it:

http://www.schaffner.net/userserver.zip

(I saw this referred to here:
http://www.phpbuilder.com/mail/php3-list/199903/2733.php ). Hope this does the trick - or if you use IIS, the ACL stuff comes for free.

Cheers Dave

===========================================
http://badblue.com

Small footprint Win32 web server for PHP and P2P

atomdawg

Yes, that's the rub...I'm using Apache on Unix (FreeBSD and Solaris). And I need to be able to get the username from any one of some 6,000 NT workstations on our intranet that may access the site. Schaffner's UserServer utility is very cool, but it doesn't quite do the trick in this case.

Thanks for the info, though!

--Andy

hawleyj

If I am reading this right, you want the log on username used to access the actual workstation, whether the machine is in a workgroup or on a domain (with as many machines as you stated, I would guess the latter).

If that is the case, you won't have any luck with it. In a domain, the logon credentials are located in the SID (security identification database) on the primary and backup domain controllers, along with SIDs that reside on each workstation for local user admin. It will not release these names to any services such as what you are describing. Rightfully so, too, can you image what type of security breach this would generate, not to mention the MS bashing that would occur once someone found out you had a way to access the SID?

The SID is one of the most protected pieces of security on the MS domain, as it should be.

Sorry.

Jim Hawley

hawleyj

But of course I could be wrong...$PHP_AUTH_USER may work.

Man, where is the recall button when you need one...

jeh

ame12

Andy, one way to do this is to have your Apache boxes make HTTP socket requests to one of the NT boxes running IIS to GET an ACL-protected page where only authenticated users have access.

So you would do a GET request on the page and fill in the header's "authorization: basic" credentials in base64 format as if you were a browser that had been 401 challenged.

If the page comes back correctly, the credentials were valid. If a status 401 comes back, the credentials were bad.

This would be a pretty cheap, easy way to do it.

Another (more complex) possibility is to create a CGI or ISAPI that runs on one of your NT boxes (I suppose under IIS). Your Apache boxes can make HTTP socket requests, e.g.,

http://ntbox/scripts/verify.dll?
user=joe&password=secret

this could return xml on success:

or in the case of an error:

<verify>Account locked</verify>

or whatever. The CGI just needs to do:

::RevertToSelf();
::LogonUser(...)
::ImpersonateToken(...);

in sequence to ensure that the credentials are valid for NT (I think that's what the calls are, it's been a while).

Cheers Dave

===========================================
http://badblue.com

Small footprint Win32 web server for PHP and P2P

Anon

I've seen several posts, but I have not be able to resolve this......

We are running NT 4.0/Apache 1.3.20/PHP 4.0.6. I am trying to determine the user's Window logon name with no luck.

Under Linux/Apache/PHP, I can use getenv ("USER") or $USER to get this information. I have tried $LOGON_USER, $REMOTE_USER and $PHP_AUTH_USER as found in other postings. I have also installed mod_ntlm ( how do I know this is working?? Can't find it in php_info() ). None of this has worked.

I just need the user ID...

Thanks!

Anon

I'm looking for the same thing already half an year and still have not found a way to do thids, to get only the username.

When I run Apache on Windows 2000 it is easy, But it seems that it is almost impossible to do this on a linux machine running Apache?

Pls If someone could help us?

Anon

The user ID works under Linux/Apache/PHP.... Be sure you have the LDAP module loaded... Use phpinfo to check.

Soooo... How do you get it to work under Windows?

Anon

HI,

Thanks for your reply.

I did the following:

1 - I used a machine with Windows 2000 professional.

2 - Installed IIS (5 I believe)

3 - On Default Web Site Properties, select Directory Security

4 - Select Anonymouse access and authentication control, edit

5 - Now make sure that in the window that now pops up, (Authentication Methods) Integrated Windows Authentication is selected.

Now the next time a user goes to the website, you will see in the phpinfo() the windows userlogin name. This orks great on our intranet (no connection from outside only users that have logged in Windows Domain)

I want to migrate the website from this IIS to a linux Apache. But unfortunately no luck. Will check the LDAP module.

Greeetings,

Rob

Anon

Hi,

I tried it doing all the steps you suggested, but found that there's one important (probably straightforward) thing that was missing...

I would add a step 6 (which took me pretty long to find that THIS was the problem that was bugging me):

6) Make sure that the 'Anonymous Access' itsself on the window "Authentification Methods" is turned OFF to force IIS to log on!

Thanx for the info though, I finally got it working!

Anon

One other thing to remember, if you are doing it this way, make sure you use Basic Authentication. If you do not, any user not sporting MSIE will not be able to log in.

Jim