I have a few requirements here on which I am not sure if they're even possible the way they're requested. Sorry beforehand for not having code, but I feel stackoverflow fits the most for this question, and I can't write code on company time before the situation is clear.
Setup
A windows server with an IIS and PHP running via FCGI. There's an intranet (php/mysql) running on this machine. Users currently have anonymous access to it, since it is an open intranet. All users are in the same windows domain.
SSO and windows shares
As far as my research got, single sign on via NTLM is possible and should not be a biggie to implement into the current intranet. However, there's a plugin running which reads directories from defined windows shares, and spits out a file list. Those files are read by a specific user account having read access to this share.
Is it possible to authenticate the current user at the windows share to read files, via that data I receive from SSO (via ntlm or kerberos or ...)?
You need Kerberos, Credential Deleagtion and Impersonation. Forget NTLM.
Edit: On Windows, this is solved by SSPI, on Unix by GSS-API.
Related
I have a PHP application running with Nginx on a Linux server and it has a successful integration with my Active Directory using LDAP.
In the current scenario, the user is able to create a new login for the app or use his Windows credentials to log into the application.
Now, I'm trying to implement a complete Single-Sign On (SSO) and the user logged with his credentials in the Windows machine in the domain will be able to open the app logged without use the credentials again.
Doing some research on it, since my Linux server are not in the same domain, the best options is use NTLM (old and insecure), Kerberos protocol or Negotiate protocol (that will choose among NTLM and Kerberos for each request), depending on Windows version and what is implemented in the Domain Controller.
There is a lot of tutorials in the internet and also some good threads on the theme here in SO. This another link shows a good overview about the options using Apache as web server (for Kerberos option, I found a Nginx port, so this is not the main problem).
Well, I created some test application using these approaches (including all changes in the browser side, limited to Firefox), but all of then are dependents of Web Server (Apache, Nginx or even IIS). Since My app already has a complete integration with AD through LDAP, I'm interested in some Web Server independent solution. Are there any way to "bypass" the authentication in Web Server and get the information about the logged user direct on my PHP code (Client (Firefox) to Server (PHP))?
My best guesses for now are some type of "pure" PHP implementation of Kerberos, that needs of a PECL module or NTLM, that is insecure and still asks for the user credentials in the first request.
I know that maybe its impossible, but I'm asking it for the case that I missed something important information in this research. Is it possible to get the windows user info direct in PHP?
If you don't insist on nginx use Apache Web Server 2.4 with mod_auth_gssapi this is great, high quality code written by people who know what they do. I have been doing this for years for my PHP stuff.
I am an intern in a company and have to make an intranet for the company. The difficulty for me is that i am very new to programming and don't really know how apache works.
The users don't want to log into the intranet (put the login and password) everytime they come on the site, they want them to be logged in without doing that.
All my users use Windows 7 (or higher), and i will write the intranet in php-sql, using apache server 2.4.
I want to know how i can connect the users by SSO using NTLM (because the authentification is done with Active Driectory, i would like the user to be connected automatically with their Windows login and password)? What is the apache module for that and how do i proceed ? What Library do i use in PHP ?
I really am stuck at this point and can't seem to find a solution, please help me. I found some links that could help me but i don't understand what is the author saying.
Here are some links about the subjects :
a forum question
a wiki article
Actually i saw that this kind of question was already asked here (How can I implement single sign-on (SSO) using Microsoft AD for an internal PHP app?) but I don't get the solution, I would like someone to explain a little bit in detail as i said before i am very new to programming.
First of all using Apache is not necessary and will complicate things somewhat to do what you are trying to do, if you can use IIS server on one of your Windows servers you will be laughing.
Install PHP on the IIS server
Create a new website in IIS
Set the new websites access to Windows Authentication and disable anonomouse access.
What this will do is configure IIS to authenticate the users against Active Directory, if they are on a Windows machine on the local network, already authenticated to the local domain, and the intranet is defined by GPO as a intranet site then the users Windows login details will be automatically passed and can be accessed in PHP using the $_SERVER superglobal.
We have around 10 iMac's connected to mac mini server. php and Apache enabled on server. I am developing intranet website using php. My requirement is to get the username of the client connected to the server. $_SERVER['REMOTE_USER'] is not working. I don't know why. Please help me out. Is it possible to write JS to find it? It should not ask for user login. It should directly take from client machine login.
$_SERVER['REMOTE_USER'] will contain the username used for HTTP auth. There is no reasonable way to persuade a browser to tell you what OS user the visitor is logged in as (you might have some luck with a signed Java applet, but I wouldn't bet on it).
For an intranet site/app, where you have control over the client machines, you can use some script/application running on system startup which will read the username and store it as a cookie. You can than read that cookie from you web site.
How cookies are stored differs between browser. For example, firefox 3+ uses an sqlite database with a documented format (see this post for some more info). You have to make sure, that the browser is not running when accessing the cookies.
I believe what you're looking for is Single Sign On (SSO). This is most commonly used on windows computers connected to a domain which allows users to authenticate to intranet sites without entering any credentials (eg it uses their domain credentials).
I don't know of a pure mac equivalent. The (most recent) Windows system is called Kerberos and is supported by Firefox on Mac as mentioned here: http://www.cgl.ucsf.edu/Security/CGLAUTH/CGLAUTH.html
It's worth noting that this requires the OS, Browser and Website to all work together. Some issues: firefox (even on windows) doesn't send the login details automatically, it requires a config change to include the site you want to authenticate with. The website needs to be able to verify the authenticity of the credentials passed to it which usually means it needs to be able to communicate with the credential authority (Domain controller/RADIUS/X500 server, etc.). The pesmissions mechanism needs to support (and be configured) to allow credential delegation (that is, the client PC is allowed to pass tokens on to the website to prove identity).
This question was by someone who's managed to get this working on linux so should be a good starting point
In a Windows world with Windows clients and a LAMP web server, is it possible to take advantage of Windows Authentication to authenticate a user on the LAMP web site?
The motivations are:
Single sign on
Be able to access the user name of the Windows user
Edit: Twelve47 found this question and answer, but that only works on IIS unfortunately, so my question is NOT a duplicate of it, as opposed to what I stated 7 hours ago...
Active Directory can accessed using LDAP, you can then use LDAP in PHP or mod_auth_ldap in apache to query the AD.
You might like to check out adLDAP which a PHP project designed for PHP/AD integration.
For a website on the Intranet with all the IE security settings setup. I want to retrieve the current AD username that the user is logged in with. I don't need to authenticate because I am assuming that the person on the computer has already gone through the process.
Is this even possible? I've seen a lot of NTLM related stuff that shows how to authenticate but I can't seem to pull the current authenticated username easily without a prompt box, which is what I'm trying to avoid.
The server setup is a Windows server with Apache. If it is easily done with a Linux machine I can move it there too.
As stated in your question, IE has to be configured to allow Windows Integrated Authentication. Doing so basically gives IE permission to provide your credentials/token to sites that request it (usually limited to sites in the Intranet zone). Note that your web site will have to request those credentials (in IIS it is as simple as checking a checkbox). In Apache you'll have to find an Apache module that add NTLM authentication support to your web server. A quick Google search revealed a few different modules, none seemed particularly up to date. If you get an Apache NTLM module working, I suspect you'll be able to access the username via$_SERVER['AUTH_USER'].