PHP Forms-Based Authentication on Windows using Local User Accounts

Question

I'm running PHP, Apache, and Windows. I do not have a domain setup, so I would like my website's forms-based authentication to use the local user accounts database built in to Windows (I think it's called SAM).

I know that if Active Directory is setup, you can use the PHP LDAP module to connect and authenticate in your script, but without AD there is no LDAP. What is the equivalent for standalone machines?

Answer 1

Good Question!

I've given this some thought... and I can't think of a good solution. What I can think of is a horrible horrible hack that just might work. After seeing that no one has posted an answer to this question for nearly a day, I figured a bad, but working answer would be ok.

The SAM file is off limits while the system is running. There are some DLL Injection tricks which you may be able to get working but in the end you'll just end up with password hashes and you'd have to hash the user provided passwords to match against them anyway.

What you really want is something that tries to authenticate the user against the SAM file. I think you can do this by doing something like the following.

1. Create a File Share on the server and make it so that only accounts that you want to be able to log in as are granted access to it.
2. In PHP use the system command to invoke a wsh script that: mounts the share using the username and password that the website user provides. records if it works, and then unmounts the drive if it does.
3. Collect the result somehow. The result can be returned to php either on the stdout of the script, or hopefully using the return code for the script.

I know it's not pretty, but it should work.

I feel dirty :|

Edit: reason for invoking the external wsh script is that PHP doesn't allow you to use UNC paths (as far as I can remember).