Is HTTP Authentication possible with PHP on IIS FastCGI?

Question

I've just migrated from PHP 5.2.3 using php5isapi.dll to PHP 5.3.0 using FastCGI and php-cgi.exe. On this site I have hooks for windows/ntlm/http authentication doing something like this:

if(empty($_SERVER["REMOTE_USER"]))
{
 header("HTTP/1.1 401 Unauthorized"); 
 exit;
}
$winuser = $_Server["REMOTE_USER"];

//parse $winuser to make sure it is on my domain, and can login to the site.
//set a cookie specifying that this user is logged in
//redirect to site.

This worked just great under PHP 5.2.3 with isapi. Now that I've moved to FastCGI on IIS6, it is broken. It works for me, but I have administrator on the server. Those without administrator (most people) see some variant of the following:

FastCGI Error
The FastCGI Handler was unable to process the request. 
________________________________________
Error Details:
•   The FastCGI process exited unexpectedly 
•   Error Number: -1073741819 (0xc0000005). 
•   Error Description: Unknown Error 
HTTP Error 500 - Server Error.
Internet Information Services (IIS)

I have tried plowing through documentation and log files, but can't seem to make any headway. I don't actually want the remote username to be used to access my .php files, I just want to grab the name and match to my database. The anon user should still be the one doing the actual php execution.

Any leads?

Answer 1

Some progress, but no real solution yet.

1. Following the advice here was useful: FastCGI Docs Especially the Security Recommendations section. This got my errors out of FASTCGI 500 and into the php error log.

2. It appears that PHP/IIS/FastCGI wants to access the session directory (mine is C:\PHP\Session) via whatever user attempts to authenticate instead of the anon user.

3. Setting "Modify" permissions on that folder to "All Users" allows the site to work as desired. However, I'm then wondering how big of a security hole I'm creating by doing this...