We have a sharepoint instance on our network that we get automatically logged into by logging into Windows. (they do not get prompted to log in)
We have another web application that requires users to log in but it currently has it's own username/password setup.
Our goal is to get the other application (which we have built) to act the same way sharepoint does - if you are logged into windows it will log you right into the application.
Where do I start? (I assume this will require LDAP)
Any guidance would be greatly appreciated.
Our setup (windows):
Windows
IE7 & 8
Windows Active Directory managing users/password
Our setup (the other application):
RHEL (could be Windows Server if really necessary)
PHP 5
Apache
mySQL - username and password are stored in mySQL
Update:
Maybe a drawing would help: Look at this
You are looking to implement NTLM Authentication in the PHP application, see my prior answer on this:
Can a PHP intranet share Windows logins?
If your other web application uses Windows Integrated Authentication (NTLM or Kerberos authentication or even basic authentication) then it can act the same way. Depending on the browser, it can automatically remember and log into sites using one of these methods. Each browser may do it differently, though. IE has settings for automatically logging in based on the zone (Internet, Local intranet, trusted sites).
You would not necessarily need to have the have your other application use the same user store (AD/LDAP), but it would likely make sense.
Related
So I have a Zend Server and I'm looking for a way to enable automatic authentification with Windows credentials.
I want to basically have the same result as if you would enable Windows authentification / NTLM on an IIS-Server or if you would install the Apache module "mod_authnz_sspi" on an Apache-Server. After enabling/installing this, both of these methods pass the credentials of the Windows user who is currently logged in to PHP variables.
These variables being: $_SERVER["REMOTE_USER"] or $_SERVER["PHP_AUTH_USER"] which will contain the username. Using getenv("USERDOMAIN") it is also possible to retrieve the domain name.
With these variables set, I was able to achieve a Single-Sign-On solution for applications on my site.
One of these applications is "osTicket". I used the following plugins: https://github.com/osTicket/osTicket-plugins/tree/develop/auth-ldap and https://github.com/osTicket/osTicket-plugins/tree/develop/auth-passthru .
So AuthPassthru will pass the above mentioned PHP variables to the LDAP-Plugin. The LDAP-Plugin will then connect to my Active-Directory server with a service user and look up if the Windows user from the passed PHP-variables is part of the domain. If yes, then the user will automatically be logged in.
The other one is the CMS Joomla. Here I was able to basically do the same thing with the plugins pkg_shplatform, pkg_ldap_sso_core and plg_sso_http. Again I would create a service user to connect to Active-Directory and lookup the user from the variables passed on by the "plg_sso_http"-plugin to then log them in automatically.
I did this on an Apache-server using mod_authnz_sspi.
But now I have to use a Zend-Server and to basically do the same thing there. The goal is to provide a Single-Sign-On solution where users will only log into their Windows account and are then automatically logged into every application on my site with the Active Directory server authenticating them.
If nobody knows a solution to do SSO this way on Zend-Server, if you have any idea on how to do it in a Kerberos way (or any other) that would help, too!
I have an IIS 8 webserver hosting a PHP web application. There is a management page that requires windows authentication via the web.config file.
Is there any way to pull any identifying information that could be passed to the PHP application?
I've tried pulling the headers but nothing in there seems of any use. At one point I did get some identifying information in the cookie but that is not consistent.
Both of these did the trick:
$_SERVER['LOGON_USER'];
$_SERVER['AUTH_USER'];
We have an app that is hosted on our intranet in a Windows desktop using WAMP (W for Windows, P for PHP). We need to implement a new functionality - validate user's by using his / her windows logged in credentials whenever user visits our intranet site.
Here I lack some basic concepts of implementing it - how can I access current windows logged in user details in PHP.
Is there any way to detect out who the current user is and pass this users data for validation to our LDAP server for verification?
Take a look here : http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/
Is 1 half of authentication.
Just a note apache needs to have KeepAlive On setting set.
It will give you current user's login/domain/workstation information.
If you need full NTLM authentication scheme support, your web server needs module for it.
Look here : http://modntlm.sourceforge.net/
and here : http://bloke.org/linux/ntlm-authentication-active-directory-on-apache-linux/
Inboth cases, URL needs to be in "Trusted zone" for IE and similar setup for firefox.
I would suggest you use mod_auth_sspi - Apache 2.x authentication module. It is very easy to setup.
Here is the homepage http://sourceforge.net/projects/mod-auth-sspi/
You can protect locations, folders, or specific files. You can allow/deny specific users, groups, domains etc.
I implemented this on a windows 2008 server running apache 2.2 and PHP 5.2 and it worked flawlessly for my SSO.
I used to work for a bank, that had a very cool feature in it's intranet. Once you logged in your computer, there were global variables set in PHP through Apache, and they contained the identity of the user that was logged on on the computer. Now I'm at a new job, and I'm wondering, how this thing worked! I would like to implement this kind of thing once again.
What I'm working with here:
FreeBSD server, version is unknown to me.
Apache 2.2 web server
PHP 5, some custom compilation, that for various reasons, I can't upgrade or modify.
MS AD
All of the users logging on to their computers are using active directory, all are in the same domain.
What I used to have was something like this:
echo $_SERVER['username']
which would print the username of the user currently logged in.
Could someone explain, how this could be done?
P.S. If any of my server settings are not what is required, say so, because then I will have a reason to ask the bosses to give me one of my own, with more control.
There's lots of ways this might be implemented. However a lot of them depend on having control over the client as well as the server.
Obvious sources of data include:
NTLM
Client side certificates
The Ident protocol (not very secure without the encryption extensions)
A long lasting cookie (again, not secure)
HTTP authentication methods
However none of these explain how the value appeared in the session - this must have been implemented within the PHP code.
So without knowing how it was implemented at your previous site we can't tell you:
Whether it was secure and correctly implemented
how to replicate the behaviour
Given your resource list, while it would be possible to implement authentication based on direct LDAP calls, passing the username and password through your application, I would strongly recommend using (e.g.) openId - but restricting the providers to just your openid provider - which would use the MSAD as the backend.
I did not understand correctly the question, so I edit my post...
you could use apache auth, you can make auth by ip's or hostnames
http://httpd.apache.org/docs/2.0/en/howto/auth.html
I have created some PHP-based intranet resources that require users to log in. The users create their own logins, and I verify that they are logged in using a cookie.
I've been asked if I can tie that login to their Windows login instead. My initial response was "a web page cannot access your Windows login - that would be a security risk." But one of our departments uses Sharepoint, and it does in fact tie itself to the Windows login.
How is that done? Can I do it in PHP? If so, why is it not a horrible security hole?
What you are looking for is NTLM authentication against the PHP website, which is perfectly doable but seems there is no single way in PHP to do it.
Have a look at http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/
You also need to add the sites to your trusted sites in IE (or the equivalent in whichever browser you are using) and in the settings for trusted sites, turn on 'send current username and password'.
Its not a horrible security hole because the credentials are not sent en clair over the wire, and the end user has specifically told the browser to send credentials to the website in question.
PHP has LDAP support, so you can access Windows' Active Directory
There is this project on SourceForge:
adLDAP - "LDAP Authentication with PHP for Active Directory"
Often times this is done using a combination of LDAP and NTLM. Browsers like IE and Firefox can do NTLM authentication, which I believe is how Sharepoint works. I run a Java-based portal application that uses LDAP for syncing users and NTLM for authentication.
What you absolutely do not want to do is have the user enter their domain username and password into the browser. In years past I've seen several projects using this approach with LDAP to authenticate Windows users. You're correct, it is a security concern. The user should enter his or her password only once: when logging in to the workstation. The last thing you want are passwords sitting around in cache / temp files.
I apologize that I can not provide a "here's how you do it with a PHP app" answer. As far as I know, there is no one answer to this problem.
(One thing I have done in the past, and I never really checked to see if it was valid or poor form, was to use PHP from IIS. If you're using IIS, then PHP will populate the server variable REMOTE_USER with the Windows user's username (DOMAIN\user). It worked for what I was doing at the time.)