1

We are running an internal website on php 5.2 with IIS.

Currently each user is assigned a login. The login information is authorized with php confirming the information against a sql server database table.

PHP sends select statements to sql server using sql server authentication.

We would like to keep the sql server authentication; however, we want the users to be able to get onto the site using windows authentication.

How can we implement windows authentication on a php site?

Alex Gordon
  • 57,446
  • 287
  • 670
  • 1,062
  • I've never done it myself but maybe you could hack something in to a hook somewhere so on login it hits your php site and registers a session then stores the session id cookie on the appropriate spot? Just a guess. – jcbwlkr Apr 05 '13 at 22:50
  • If using SQL server authentication. You can create user accounts and full functionality as you normally would a MySQL database.. As for WIndows authentication, i'm sure there is a way.. PHP has methods of Database an Active Directory authentication, so it is all possible. How to get to the point of impliment on the other hand is something I have no experimented with – Daryl Gill Apr 05 '13 at 22:54
  • By default IIS User execute the application, you can use any windows user to execute it or ask to the user for the user and password, after you can ommit UID and password and php will try to connect using the user that is executing the script... maybe this link will help you [link]http://blogs.msdn.com/b/brian_swan/archive/2010/02/10/sql-server-driver-for-php-understanding-windows-authentication.aspx[link] – Carlos Huchim Apr 05 '13 at 22:56
  • @CarlosHuchim i wasnt able to view the contents of the link you sent because it asked for credentials – Alex Gordon Apr 05 '13 at 23:00
  • I did a search in google for "php, SQL Server Authentication" and the link was the first... (http://blogs.msdn.com/b/brian_swan/archive/2010/02/10/sql-server-driver-for-php-understanding-windows-authentication.aspx) maybe the tag "[link]" is the problem... sorry :) – Carlos Huchim Apr 05 '13 at 23:08
  • ¡Hola! Maybe this link will be useful: http://stackoverflow.com/questions/3899643/how-to-read-windows-loged-in-username-with-php-iis – Carlos Huchim Apr 05 '13 at 23:57
  • @CarlosHuchim indeed it is! please make that into an answer – Alex Gordon Apr 09 '13 at 03:00

2 Answers2

2

You could use LDAP bindings for PHP to achieve this.

Here is an example implementing this using the ldap_bind PHP extension.

What this example achieves is using Active Directory to authenticate your clients against a directory service which is providing the list of the currently registered user on the Active Directory domain.

Halim Qarroum
  • 13,985
  • 4
  • 46
  • 71
  • is there a way for php to detect which user is logged in without forcing the user to type their credentials? – Alex Gordon Apr 05 '13 at 22:59
  • Without making false assumptions such as relying on IP addresses or other bad ideas, there isn't really no. What you may simply do, is setting a `Cookie` the first time the user connects to the service. Also, it is highly recommended that you implement an SSL-enabled only connection between your authentication interface and the end user. – Halim Qarroum Apr 05 '13 at 23:06
  • what about ? – Alex Gordon Apr 05 '13 at 23:08
  • 1
    The PHP code will be executed on the server-side not on the client one. So, doing this would give you the environment of your server. Even if it was doable on the client-side in Javascript, it will be a very bad idea because of obvious security reasons. – Halim Qarroum Apr 05 '13 at 23:09
  • You could use an SSL cert to do the authentication: http://stackoverflow.com/questions/12509811/authenticate-web-browser-with-ssl-certificate – doublesharp Apr 05 '13 at 23:12
  • how is asp.net able to get the windows username so easily? – Alex Gordon Apr 05 '13 at 23:16
  • 1
    @doublesharp He could indeed, I've been thinking about it. But he wants the user to be authenticated against an LDAP server. Of course, it is possible to generate an SSL certificate for each user given his LDAP informations and distribute these certificates to all the users. But still, the guy would have to upload his certificate to his authenticating interface once anyway. Seems like overkill comparing to just typing credentials :) – Halim Qarroum Apr 05 '13 at 23:16
1

If you are using Active Directory, then you can use LDAP to verify connections against the domain:

// load from login form
$user = 'user';
$pass = 'pass';

$ldap = ldap_connect( "example.com" );
if( false === ( $bind = ldap_bind( $ldap, $user, $pass ) ) ) {
  // auth error
} else {
  // user is authenticated
}
doublesharp
  • 26,888
  • 6
  • 52
  • 73
  • is there a way for php to detect which user is logged in without forcing the user to type their credentials? – Alex Gordon Apr 05 '13 at 22:59
  • Not in the way I think you mean - if you want them to be logged on to a remote IIS server with the same credentials they are using on their workstation then the short answer is no, although you could use certificates if you wanted to auth them without a password. – doublesharp Apr 05 '13 at 23:01
  • thank you for your responses and example!! is there a way to just capture the current windows username of the person opening the site? – Alex Gordon Apr 05 '13 at 23:02
  • No - think about it this way, do you want your username/domain being sent to every website that you visit on the Internet? – doublesharp Apr 05 '13 at 23:11
  • thats a great point, but it's an internal site – Alex Gordon Apr 05 '13 at 23:12
  • what about this? wouldnt it give the current windows username? – Alex Gordon Apr 05 '13 at 23:12
  • No, because the PHP is running on the server, so if that environment variable is set, it will be for the user running PHP on the server, not on the client side. The only way to automatically authenticate in a browser would be to use an SSL cert: http://stackoverflow.com/questions/12509811/authenticate-web-browser-with-ssl-certificate – doublesharp Apr 05 '13 at 23:13
  • how is asp.net able to get the windows username so easily? – Alex Gordon Apr 05 '13 at 23:15
  • One more link: http://stackoverflow.com/questions/3899643/how-to-read-windows-loged-in-username-with-php-iis – Carlos Huchim Apr 05 '13 at 23:16
  • @CarlosHuchim now that's an awesome link. the question now is how to set up IIS to authenticate users?? – Alex Gordon Apr 05 '13 at 23:19
  • @CarlosHuchim you should make that link into an answer because i got it working! – Alex Gordon Apr 05 '13 at 23:34
  • @АртёмЦарионов I did it jejejje but someone has converted the answer to "trivial comment", jejeje.... – Carlos Huchim Apr 06 '13 at 00:10