Using PHP to get a windows username

the_manchine

Hi,

I need to be able to get the windows username for automatic login to an intranet site. I've set up an IIS server (Windows 2003/IIS6.0), and installed PHP5 following the guidelines from tutorials like this one:
http://www.design-ireland.net/index.php?http%3A//www.design-ireland.net/alpha/controller/view_article.php%3Foid%3D00000000041

Note: MySQL has not been installed - doesn't seem like it's needed?

PHP seems to be working fine. I have disabled anonymous authentication, but I'm still getting nothing back when I use any of these:
$_SERVER["AUTH_USER"];
$_SERVER["LOGON_USER"];
$_SERVER["REMOTE_USER"];
The IIS server is in the same domain as the machine I'm accessing it from. I'm pretty sure there's some small thing that needs to be done, any ideas?

Before anybody mentiones it - I *have* to use windows for support reasons

phil

If you're solely using IE/IIS6, "Integrated Windows Authentication" might solve all of your problems. http://en.wikipedia.org/wiki/Integrated_Windows_Authentication

Apart from that as far as I know there's no way to do what you're suggesting automatically. Your browser will not pass domain credentials automatically to the webserver. In that scenario, PHP has no visibility over anything. You have a couple of options:

1. Allow IIS to do the authentication (via NTLM). This will still prompt for a username/password option to the end-user. IIS will then pass those details along as environment variables

2. Setup PHP to do NTLM authentication and then set a long-life cookie on the browser. This might be more user friendly, but requires more development on your side to do the authentication. Of course, the cookie based system allows more flexibility in terms of keeping users logged in across browser sessions.

The third option, requiring the most amount of work would be to use an ActiveX control to do this. Personally I'd go for (1) and keep life simple.



Phil.

seamus

phil wrote: »

There's no way to do what you're suggesting automatically. Windows / IE will not pass domain credentials automatically to the webserver.

Yep, it sure does actually. I use it all the time for providing custom content to domain users on our intranet. There's a security setting in IE (I think it's set by default for the Intranet zone) to automatically logon in that zone. $_SERVER will give you their username in the domain\username format.

You seem to have done everything right. When you disable anonymous logon on IIS, make sure that this is inherited for all subfolders. You can set authentication mode on any subfolder or file, so some files may have anonymous authentication on, others may not.

Check the NTFS permissions on the relevant folder. If the Anonymous user has access to that folder, it may not be logging in.

Remove the anonymous user, add the everyone group (give then Read & Execute) and reboot the IIS server.

phil

Oh I edited that a bit before you posted, see above . "Intranet" was the magic keyword I missed originally

seamus

And you're right, he also needs to make sure that "Integrated Windows Authentication" is enabled for the relevant site/folders.

the_manchine

Arrgghh - found the problem. Was down to some permissions!!

PEBKAC

Thanks for the replies.