I'm trying to setup a web terminal server with dual factor authentication. I have a PHP web application on Apache that would let a user login using dual factor authentication. This part works just fine.
Eg: 10.3.80.167/Auth_App
Then I have a Microsoft Windows 2008 server with Web RDP running in IIS.
Eg: 10.3.80.169/webrdp
10.3.80.167 is open to the internet and people can log. What I want to do is to use as a additional level of security to web RDP.
Users will log into 10.3.80.167/Auth_App, and when they log in they'd have a button that would take them to 10.3.80.169/webrdp and be able to login. However 10.3.80.169/webrdp is not open to the internet.
So the bottom line is, I have one web server that is connected to the internet. There is second web server that isn't, but first web server has access to it. I'm trying to let people log in to the first web server and verify them, then they can access a website on the second web server via the first one.
I hope you understand what I'm trying to do. How do I archive this with Apache and PHP? (Auth App verifies a user and creates a session)
Many Thanks :)
I ended up installing both applications on the iiS and use a cookie
Related
This is not a new topic, but the information I find is always covering only a bit or not exactly what I would need. Here's the "issue"
I'm building a web application, on a Debian / Apache / PHP host.
The web server is NOT in our Active Directory, nor will it be.
Now the web application would need to query Microsoft SQL servers to gather the information to display and so on.
Now, I've installed the Microsoft SQL drivers (version 17) and try to connect. This gives errors because we only allow windows authentication and not directly SQL authentication.
This is where the problem starts. I cannot find any proper documentation on how to get this working. It seems that if you connect without UID and PWD, it tries to logon with the UID owner of the process. This is in this case the APACHE user...which is an account on the Linux server, not known in the Active Directory /Domain. I can't have the Apache server run as a windows account, since that will impact other domains and applications running on that web server. Meaning I'm stuck....
So the questions are basically:
Is there really no proper solution to implement Windows Authentication to MSSQL with PHP (so without work arounds and so on?
Is there any site where this is explained in detail or any developed module for PHP, maybe with javascript or anything.
I can't believe this is not possible, but can't find any working solutions...
Thanks in advance everyone for taking the time to read and reply!
I have a PHP application running with Nginx on a Linux server and it has a successful integration with my Active Directory using LDAP.
In the current scenario, the user is able to create a new login for the app or use his Windows credentials to log into the application.
Now, I'm trying to implement a complete Single-Sign On (SSO) and the user logged with his credentials in the Windows machine in the domain will be able to open the app logged without use the credentials again.
Doing some research on it, since my Linux server are not in the same domain, the best options is use NTLM (old and insecure), Kerberos protocol or Negotiate protocol (that will choose among NTLM and Kerberos for each request), depending on Windows version and what is implemented in the Domain Controller.
There is a lot of tutorials in the internet and also some good threads on the theme here in SO. This another link shows a good overview about the options using Apache as web server (for Kerberos option, I found a Nginx port, so this is not the main problem).
Well, I created some test application using these approaches (including all changes in the browser side, limited to Firefox), but all of then are dependents of Web Server (Apache, Nginx or even IIS). Since My app already has a complete integration with AD through LDAP, I'm interested in some Web Server independent solution. Are there any way to "bypass" the authentication in Web Server and get the information about the logged user direct on my PHP code (Client (Firefox) to Server (PHP))?
My best guesses for now are some type of "pure" PHP implementation of Kerberos, that needs of a PECL module or NTLM, that is insecure and still asks for the user credentials in the first request.
I know that maybe its impossible, but I'm asking it for the case that I missed something important information in this research. Is it possible to get the windows user info direct in PHP?
If you don't insist on nginx use Apache Web Server 2.4 with mod_auth_gssapi this is great, high quality code written by people who know what they do. I have been doing this for years for my PHP stuff.
I'm not sure if this is a PHP or an IIS 7.5 (on Windows 2008 server) problem. I have a web application that uses AJAX to call a PHP script that ftp's pictures from a remote server. The pictures are then saved locally and a link is made to them. Previously I had no issue with the users executing this but this has changed and they can not execute the ftp. In troubleshooting I temporarily made one of the [trusted] users an administrator on the server and they could execute the ftp. As far as the ftp goes, the username and password are hard coded and therefore independent of who is using them, as long as I have given them access to my web server. The users can execute all other PHP and database-related scripts, it's just the ftp portion. I'm hoping that someone might have some direction for me, thank you in advance.
After ten years of ASP.net development (i.e. I know very little about PHP), I have just installed my first PHP web site running on a Windows Server 2008 R2 IIS 7.5 web server.
The web server is one of three servers running in a small network.
I have set up DNS to reference the web server.
If I open a browser on any of the local network machines and enter the url, the web site opens and runs perfectly.
If I do the same thing with a PC that is not part of the network I am unable to open the web site.
I'm not sure if this is a PHP or IIS problem (or maybe both).
Can anyone point me in the right direction?
Thanks.
I'd be very surprised if it is a PHP problem. I have found some very odd behaviour in IIS with it apparently tunelling NTLM authentication to access resources on network drives, but you need to start by looking at the simple things first.
Can you access static content on the webserver? If not then you need to have a look at how your DNS, network routing and firewalls are configured.
If you can access static content but not PHP content, then the webserver should be lofgging the reason why it's turning down requests for PHP files - go read your logs.
ServerA-> 64 Bit Windows 2008 (IIS 7 && PHP 5.3.6)
ServerB-> 32 Bit Windows 2003 (Fileserver)
I'm trying to access a \ServerB\directory1\directory2\file.abc via fopen through a site hosted on ServerA and am getting a Permission Denied error. It's the default website using the default application pool.
What I've tried giving the following accounts or groups in the AD full permissions to the directory (and file through inheritance) and it still gave the error:
manually created a IUSR_SERVERA account (it didn't previously exist)
IIS_WPG
Everyone
Network Service
Anonymous Access
Authenticated Users
The Identity for the DefaultAppPool is NetworkService and has 32 bit applications enabled.
IUSR_SERVERA has full permissions to the local php directory.
Any help is appreciated. I've temporarily solved the issue by copying the file needed locally to SERVERA's wwwroot folder, but that can't be a permanent solution at all.
Thanks
-Mike
Thanks for the ProcMon suggestion, it brought me to the answer. I didn't set up the default application correctly.
I read and re-read everything I could find, but nothing said this specificially:
If you need to access network files using PHP through IIS 7, set up an account with proper credentials in the Application Defaults for the site you're working on.
To do so, go into the IIS Manager
Select your site from the Connections pane
Click the View Applications link in the Actions pane (far right side of the screen)
Click Set Application Defaults in the Actions pane in the new screen
Choose DefaultAppPool from the Application Pool section
Enter proper credentials in the Physical Path credentials section
Know that changing the Process Model -> Identity in the Advanced Settings of the Default App Pool had no effect on allowing it to happen.
The IUSR_SERVERA account isn't going to be of much use, given that PHP is executing underneath the default app pool, which you said runs as NetworkService.
What you need to do is give permissions on ServerB to SERVERA\NetworkService, because that's a local account, not an AD account.
Otherwise, you could change the default app pool to run as IUSR_SERVERA, and then it should work, assuming that account is an AD account and not a local one.
If you still can't figure it out, grab a copy of ProcMon, and monitor the messages for accesses containing the desired path, and see what the actual OS denial reason is, and what account it's attempting to utilize.