I am running a php8 application (with Apache 2.4 as the web server) on a Windows server. I want to extract the windows user id of the web page user. In my organization the user id is not a secret. Everybody knows (or can easily find) everybody else's. Everyone is on the same domain as the web server. I am looking to avoid making the user type their password (a security risk from our perspective), and I don't want to initiate a new authentication protocol.
In IIS / aspx / c# this is simple: You use HttpContext. Is there something similar I can use in my environment?
This is not as simple as with IIS/C#, but you can use the Apache Kerberos Authentication module. With PHP, you can then get the user's information from:
$_SERVER['REMOTE_USER']
$_SERVER['KRB5CCNAME']
Relevant article: https://imatviyenko.github.io/blog/2018/09/11/Apache-AD-kerberos
Related
I have a PHP application running with Nginx on a Linux server and it has a successful integration with my Active Directory using LDAP.
In the current scenario, the user is able to create a new login for the app or use his Windows credentials to log into the application.
Now, I'm trying to implement a complete Single-Sign On (SSO) and the user logged with his credentials in the Windows machine in the domain will be able to open the app logged without use the credentials again.
Doing some research on it, since my Linux server are not in the same domain, the best options is use NTLM (old and insecure), Kerberos protocol or Negotiate protocol (that will choose among NTLM and Kerberos for each request), depending on Windows version and what is implemented in the Domain Controller.
There is a lot of tutorials in the internet and also some good threads on the theme here in SO. This another link shows a good overview about the options using Apache as web server (for Kerberos option, I found a Nginx port, so this is not the main problem).
Well, I created some test application using these approaches (including all changes in the browser side, limited to Firefox), but all of then are dependents of Web Server (Apache, Nginx or even IIS). Since My app already has a complete integration with AD through LDAP, I'm interested in some Web Server independent solution. Are there any way to "bypass" the authentication in Web Server and get the information about the logged user direct on my PHP code (Client (Firefox) to Server (PHP))?
My best guesses for now are some type of "pure" PHP implementation of Kerberos, that needs of a PECL module or NTLM, that is insecure and still asks for the user credentials in the first request.
I know that maybe its impossible, but I'm asking it for the case that I missed something important information in this research. Is it possible to get the windows user info direct in PHP?
If you don't insist on nginx use Apache Web Server 2.4 with mod_auth_gssapi this is great, high quality code written by people who know what they do. I have been doing this for years for my PHP stuff.
I am running OSX Server on a MacMini in our office.
The Users (created with the OSX Server App) are used for authenticating the SMB and VPN service.
Now i would like the users to login in our intranet-app via PHP.
Are there any possibilities to access the OSX Server Users?
Does it work in other languages?
If the web server is running on the same Mac Mini (or another Mac server that is attached to the same OD server), you can use browser authentication to control access and then use the REMOTE_USER environment variable from php to determine which user is logged in.
To set this up, you're going to need to enable login on the Websites control panel in the Server App and then specify which users are allowed to access the site ('Who can access' in the web site information panel).
For security purposes, make sure you use SSL so that your password exchanges are protected from prying eyes, although by default I'm pretty user you at least get Digest authentication instead of Basic, which is a little better.
If you prefer not to use the web server security, you're going to have to jump through some hoops to authenticate, most likely involving using LDAP to talk to the Open Directory server on the Mini. In the old days, you used to be able to use LDAP authorizations to validate passwords against the OD server, but I'm not sure if that still works. Either way, it's a lot of work.
I have a few requirements here on which I am not sure if they're even possible the way they're requested. Sorry beforehand for not having code, but I feel stackoverflow fits the most for this question, and I can't write code on company time before the situation is clear.
Setup
A windows server with an IIS and PHP running via FCGI. There's an intranet (php/mysql) running on this machine. Users currently have anonymous access to it, since it is an open intranet. All users are in the same windows domain.
SSO and windows shares
As far as my research got, single sign on via NTLM is possible and should not be a biggie to implement into the current intranet. However, there's a plugin running which reads directories from defined windows shares, and spits out a file list. Those files are read by a specific user account having read access to this share.
Is it possible to authenticate the current user at the windows share to read files, via that data I receive from SSO (via ntlm or kerberos or ...)?
You need Kerberos, Credential Deleagtion and Impersonation. Forget NTLM.
Edit: On Windows, this is solved by SSPI, on Unix by GSS-API.
We have around 10 iMac's connected to mac mini server. php and Apache enabled on server. I am developing intranet website using php. My requirement is to get the username of the client connected to the server. $_SERVER['REMOTE_USER'] is not working. I don't know why. Please help me out. Is it possible to write JS to find it? It should not ask for user login. It should directly take from client machine login.
$_SERVER['REMOTE_USER'] will contain the username used for HTTP auth. There is no reasonable way to persuade a browser to tell you what OS user the visitor is logged in as (you might have some luck with a signed Java applet, but I wouldn't bet on it).
For an intranet site/app, where you have control over the client machines, you can use some script/application running on system startup which will read the username and store it as a cookie. You can than read that cookie from you web site.
How cookies are stored differs between browser. For example, firefox 3+ uses an sqlite database with a documented format (see this post for some more info). You have to make sure, that the browser is not running when accessing the cookies.
I believe what you're looking for is Single Sign On (SSO). This is most commonly used on windows computers connected to a domain which allows users to authenticate to intranet sites without entering any credentials (eg it uses their domain credentials).
I don't know of a pure mac equivalent. The (most recent) Windows system is called Kerberos and is supported by Firefox on Mac as mentioned here: http://www.cgl.ucsf.edu/Security/CGLAUTH/CGLAUTH.html
It's worth noting that this requires the OS, Browser and Website to all work together. Some issues: firefox (even on windows) doesn't send the login details automatically, it requires a config change to include the site you want to authenticate with. The website needs to be able to verify the authenticity of the credentials passed to it which usually means it needs to be able to communicate with the credential authority (Domain controller/RADIUS/X500 server, etc.). The pesmissions mechanism needs to support (and be configured) to allow credential delegation (that is, the client PC is allowed to pass tokens on to the website to prove identity).
This question was by someone who's managed to get this working on linux so should be a good starting point
For a website on the Intranet with all the IE security settings setup. I want to retrieve the current AD username that the user is logged in with. I don't need to authenticate because I am assuming that the person on the computer has already gone through the process.
Is this even possible? I've seen a lot of NTLM related stuff that shows how to authenticate but I can't seem to pull the current authenticated username easily without a prompt box, which is what I'm trying to avoid.
The server setup is a Windows server with Apache. If it is easily done with a Linux machine I can move it there too.
As stated in your question, IE has to be configured to allow Windows Integrated Authentication. Doing so basically gives IE permission to provide your credentials/token to sites that request it (usually limited to sites in the Intranet zone). Note that your web site will have to request those credentials (in IIS it is as simple as checking a checkbox). In Apache you'll have to find an Apache module that add NTLM authentication support to your web server. A quick Google search revealed a few different modules, none seemed particularly up to date. If you get an Apache NTLM module working, I suspect you'll be able to access the username via$_SERVER['AUTH_USER'].