Is it possible to use the users windows authentication (setting in iis) for database connections in PHP?
This is possible in the .NET world through a technique called "impersonation". Does this also exist in the PHP/IIS world?
EDIT: The Database I am using is MS SQL Server 2005.
Must each user be verified separately? If not, you can set IIS to impersonate one person.
If you can authenticate the PHP application with Keberos, you can use kerberos Delegation to pass the credentials to the secondary server.
Ken Schaefer has a whole series of blogs on Kerberos, including this article on delegation.
I know that you can supply the login name and password that you want associated with your ODBC connection if you create it through System DSN. I assume that the login un/pw can be windows user accounts.
Doing it that way seems to limit you to a predetermined account. It might be possible to create a group, add the desired users, password protect the directory and only allow the group access to the directory.
You didn't say which database you're using though. If you are using MS Access, I know you can hide your database passwords. See my comment on another post.
Which way are you running IIS on PHP? As a standalone CGI or ISAPI?
My preferred solution would be to have a separate user on SQL Server for the access, instead of trying to force the IIS to run as an impersonated a user which is fine for development machines but not so good later on for production or even staging.
But if you're using FastCGI, it is possible to impersonate a user that the process is run by with the configuration file from what I remember, which passes the user logged in's credentials.
Impersonation through Kerberos is the most secure answer, as well as the simplest to administrate. Having separate 'synthetic' users when accessing resources like databases means you basically bypass all possibilities for database authorization, get duplicate points of access administration, and that you get zero traceability at the database level (you just see that MySyntheticUser tried to access something, not who was behind it).
Having said this, I should warn you that Microsoft's Kerberos isn't always as straightforward as you would expect. We've had significant trouble getting it to work between pure .NET solutions, IIS, SQL Server 2005, AD domains and Internet Explorer. Most of it was down to getting trust configured exactly right. Also, while I'm not a PHP developer myself, I find some indications that you may have trouble accessing Kerberos library functionality. Find out what support you can get for SSPI. Also, your PHP process must have the necessary permissions to impersonate users, which I believe can be administered through IIS.
I would not necessarily expect all of this to be straightforward or easy, particularly as Microsoft has few incitaments to support non-Microsoft languages and platforms.