I am an intern in a company and have to make an intranet for the company. The difficulty for me is that i am very new to programming and don't really know how apache works.
The users don't want to log into the intranet (put the login and password) everytime they come on the site, they want them to be logged in without doing that.
All my users use Windows 7 (or higher), and i will write the intranet in php-sql, using apache server 2.4.
I want to know how i can connect the users by SSO using NTLM (because the authentification is done with Active Driectory, i would like the user to be connected automatically with their Windows login and password)? What is the apache module for that and how do i proceed ? What Library do i use in PHP ?
I really am stuck at this point and can't seem to find a solution, please help me. I found some links that could help me but i don't understand what is the author saying.
Here are some links about the subjects :
a forum question
a wiki article
Actually i saw that this kind of question was already asked here (How can I implement single sign-on (SSO) using Microsoft AD for an internal PHP app?) but I don't get the solution, I would like someone to explain a little bit in detail as i said before i am very new to programming.
First of all using Apache is not necessary and will complicate things somewhat to do what you are trying to do, if you can use IIS server on one of your Windows servers you will be laughing.
Install PHP on the IIS server
Create a new website in IIS
Set the new websites access to Windows Authentication and disable anonomouse access.
What this will do is configure IIS to authenticate the users against Active Directory, if they are on a Windows machine on the local network, already authenticated to the local domain, and the intranet is defined by GPO as a intranet site then the users Windows login details will be automatically passed and can be accessed in PHP using the $_SERVER superglobal.
Related
This is not a new topic, but the information I find is always covering only a bit or not exactly what I would need. Here's the "issue"
I'm building a web application, on a Debian / Apache / PHP host.
The web server is NOT in our Active Directory, nor will it be.
Now the web application would need to query Microsoft SQL servers to gather the information to display and so on.
Now, I've installed the Microsoft SQL drivers (version 17) and try to connect. This gives errors because we only allow windows authentication and not directly SQL authentication.
This is where the problem starts. I cannot find any proper documentation on how to get this working. It seems that if you connect without UID and PWD, it tries to logon with the UID owner of the process. This is in this case the APACHE user...which is an account on the Linux server, not known in the Active Directory /Domain. I can't have the Apache server run as a windows account, since that will impact other domains and applications running on that web server. Meaning I'm stuck....
So the questions are basically:
Is there really no proper solution to implement Windows Authentication to MSSQL with PHP (so without work arounds and so on?
Is there any site where this is explained in detail or any developed module for PHP, maybe with javascript or anything.
I can't believe this is not possible, but can't find any working solutions...
Thanks in advance everyone for taking the time to read and reply!
I have a PHP application running with Nginx on a Linux server and it has a successful integration with my Active Directory using LDAP.
In the current scenario, the user is able to create a new login for the app or use his Windows credentials to log into the application.
Now, I'm trying to implement a complete Single-Sign On (SSO) and the user logged with his credentials in the Windows machine in the domain will be able to open the app logged without use the credentials again.
Doing some research on it, since my Linux server are not in the same domain, the best options is use NTLM (old and insecure), Kerberos protocol or Negotiate protocol (that will choose among NTLM and Kerberos for each request), depending on Windows version and what is implemented in the Domain Controller.
There is a lot of tutorials in the internet and also some good threads on the theme here in SO. This another link shows a good overview about the options using Apache as web server (for Kerberos option, I found a Nginx port, so this is not the main problem).
Well, I created some test application using these approaches (including all changes in the browser side, limited to Firefox), but all of then are dependents of Web Server (Apache, Nginx or even IIS). Since My app already has a complete integration with AD through LDAP, I'm interested in some Web Server independent solution. Are there any way to "bypass" the authentication in Web Server and get the information about the logged user direct on my PHP code (Client (Firefox) to Server (PHP))?
My best guesses for now are some type of "pure" PHP implementation of Kerberos, that needs of a PECL module or NTLM, that is insecure and still asks for the user credentials in the first request.
I know that maybe its impossible, but I'm asking it for the case that I missed something important information in this research. Is it possible to get the windows user info direct in PHP?
If you don't insist on nginx use Apache Web Server 2.4 with mod_auth_gssapi this is great, high quality code written by people who know what they do. I have been doing this for years for my PHP stuff.
I have a few requirements here on which I am not sure if they're even possible the way they're requested. Sorry beforehand for not having code, but I feel stackoverflow fits the most for this question, and I can't write code on company time before the situation is clear.
Setup
A windows server with an IIS and PHP running via FCGI. There's an intranet (php/mysql) running on this machine. Users currently have anonymous access to it, since it is an open intranet. All users are in the same windows domain.
SSO and windows shares
As far as my research got, single sign on via NTLM is possible and should not be a biggie to implement into the current intranet. However, there's a plugin running which reads directories from defined windows shares, and spits out a file list. Those files are read by a specific user account having read access to this share.
Is it possible to authenticate the current user at the windows share to read files, via that data I receive from SSO (via ntlm or kerberos or ...)?
You need Kerberos, Credential Deleagtion and Impersonation. Forget NTLM.
Edit: On Windows, this is solved by SSPI, on Unix by GSS-API.
In a Windows world with Windows clients and a LAMP web server, is it possible to take advantage of Windows Authentication to authenticate a user on the LAMP web site?
The motivations are:
Single sign on
Be able to access the user name of the Windows user
Edit: Twelve47 found this question and answer, but that only works on IIS unfortunately, so my question is NOT a duplicate of it, as opposed to what I stated 7 hours ago...
Active Directory can accessed using LDAP, you can then use LDAP in PHP or mod_auth_ldap in apache to query the AD.
You might like to check out adLDAP which a PHP project designed for PHP/AD integration.
For a website on the Intranet with all the IE security settings setup. I want to retrieve the current AD username that the user is logged in with. I don't need to authenticate because I am assuming that the person on the computer has already gone through the process.
Is this even possible? I've seen a lot of NTLM related stuff that shows how to authenticate but I can't seem to pull the current authenticated username easily without a prompt box, which is what I'm trying to avoid.
The server setup is a Windows server with Apache. If it is easily done with a Linux machine I can move it there too.
As stated in your question, IE has to be configured to allow Windows Integrated Authentication. Doing so basically gives IE permission to provide your credentials/token to sites that request it (usually limited to sites in the Intranet zone). Note that your web site will have to request those credentials (in IIS it is as simple as checking a checkbox). In Apache you'll have to find an Apache module that add NTLM authentication support to your web server. A quick Google search revealed a few different modules, none seemed particularly up to date. If you get an Apache NTLM module working, I suspect you'll be able to access the username via$_SERVER['AUTH_USER'].