|
Manoj Tyagi - 2008-02-25 04:01:51
Hi Manuel Lemos,
I have a question which I am not finding the answer for.
I have setup of “single sign on” by enabling the “windows integrated authentication” in IIS
My script reads the value of $_SESSION[REMOTE_USER] and then allows the access to the user.
This works fine with the domain logged in users.
It challenges to external users, for the username and password with the default (IIS generated) login window.
I want to use my custom login screen (html/php) page for this authentication.
In other words, It is not passing the user credentials to IIS and script is not getting the value of $_SERVER[‘REMOTE_USER’] , until I enable the “windows integrated authentication”.
Can you please let me know how can I get it worked?
My goal is to allow external users to provide a login screen to enter Username (not as SERVERNAME\\username), Password , Domain
And
To allow the access to Domain logged in users, without challenging for Username and password.
Windows 2003
PHP Ver. 4.4.9 (Server API CGI/FastCGI)
IIS 6 (Windows Integrated authentication Enabled)
Sorry if i am posting it at the wrong place.
Manuel Lemos - 2008-02-25 04:31:16 - In reply to message 1 from Manoj Tyagi
For now, the SASL class library is for client side authentication.
If you want to authenticate users outside a Windows network, you may provide a PHP page (preferrably SSL) with a form that takes the user name and password. Then you use the SASL class library with the HTTP client class to access a page in your own Web server that requires NTLM authentication.
phpclasses.org/httpclient
If the authentication fails it returns status 401. If it returns status 200 or maybe a 30X redirection status, the authentication succeeded.
Manoj Tyagi - 2008-02-25 05:27:20 - In reply to message 1 from Manoj Tyagi
If i could read (not sure if this is possible) get the value of $_SERVER[REMOTE_USER], without by forcing the NTLM authentication , then i will be good.
I am willing to read this value in my script, either without enabling the "integrated Authentication". OR disabling the login Popup window for External users.
Are there other ways to get the REMOTE_USER value?
I am just willing to get this type of script working for the Domain loggedin users, as well as, for the External users.
<?
if ($_SERVER[REMOTE_USER])
echo "welcome ".$_SERVER[REMOTE_USER];
elseif ($_POST['username'])
echo "welcome ".$_SERVER[REMOTE_USER];
else
echo "Access Denied";
?>
Manuel Lemos - 2008-02-25 06:22:56 - In reply to message 3 from Manoj Tyagi
That maybe possible if your script has access to the Authorization header. Usually this is only possible when you run PHP as a Web server module, not as CGI.
If you can have access to the Authorization request header, you can implement Basic, NTLM or any other authentication method.
Just keep in mind that Basic authentication is even less secure than NTLM, so SSL is even more recommended.
Manoj Tyagi - 2008-02-25 07:39:15 - In reply to message 4 from Manuel Lemos
what do you mean by "if your script has access to the Authorization header" ?
I have the complete control of the web server & can configure that accordingly.
is the Web server module available for IIS also.
Can you please do let me know any URL where i can download it and find some more info?
sorry to bother , but I am new to this.
Thanks
Manuel Lemos - 2008-02-25 13:51:38 - In reply to message 5 from Manoj Tyagi
I do not use IIS, but with Apache you can call the function getallheaders() to retrieve any header sent by the browser, including Authorization.
I don't know if there is an equivalent function when using PHP with IIS as Web server module, or may be an environment variable with a copy of the Authorization header. You need to check that out.
|