views:

675

answers:

2

Hi,

I'm currently integrating a CMS (developed in PHP) authentication with Active Directory. This specific Active Directory only allows authentication through Kerberos, or ldaps:// (but this last one is not the most wanted since I'll have to use absolute paths).

I've been searching the web for anything about PHP AD Kerberos Authentication, but found nothing. Can anyone point me in the right direction?

Thanks in advance.

+1  A: 

Not freeware solution - google by 'Plexcel' keyword

Alexey Sviridov
+2  A: 

If you are using Active Directory, its possible your webserver is IIS, which has inbuilt kerberos*.. then just let the browser & webserver handle the authentication and use some PHP like:

$user = isset($_SERVER['AUTH_USER']) ? $_SERVER['AUTH_USER'] : false; 
if((false === $user) or ('' == $user)){
//Divert to incorrect password page.. 
//MSIE typically tries three times, Kerb/NTLM/Plain
//FF will only try NTLM/Plain if configured for NTLM
//Chrome.. won't work with this at all.. not that I have discovered.
//If testing locally using Apache, user will be 0
}

Now you can do SSO using Kerberos, works a charm.

*: Called "Integrated Windows Authentication" http://support.microsoft.com/kb/324274 and must be enabled in browser by setting "Security Zone" to "Local Intranet".. which may happen if the IIS box is actually on the Local Intranet.. but it depends on the SPN and the domain the User's box and IIS box and any trust relationships.. if its on a single domain with the domain name/machine name the same it should work. If you are clustering or anything fun, expect a major headache, rather than just a normal headache. You can script/GPO the IE settings if you feel the need..

Hopefully you are asking about something else.. If I prayed it would be that you didn't implement this, it causes the whole authentication process for every single request.. which turns out slows down every page load.. no matter how many aggregations/hacks/workarounds you implement.. it was just a bad idea, but once you start or tell a manager about it, they really love it because it saves them having to login again.. oh, they will still complain about speed, but..

Grizly