How To Read Active Directory Group Membership From PHP/IIS using COM?

Question

I have the following code:

$bind = new COM("LDAP://CN=GroupName,OU=Groups,OU=Division,DC=company,DC=local");

When I execute it from a command-prompt, it runs fine. When it runs under IIS/PHP/ISAPI, it barfs.

Fatal error: Uncaught exception 'com_exception' with message 'Failed to create COM object `LDAP://CN=...[cut]...,DC=local':
An operations error occurred. ' in index.php
Stack trace:
  #0 index.php: com->com('LDAP://CN=...')
  #1 {main} thrown

IIS is configured for Windows Authentication (no anonymous, no basic, no digest) and I am connecting as the same user as the command prompt. I cannot find any specific errors in the IIS logfiles or the eventlog.

The main purpose of this exercise is to refrain from keeping user credentials in my script and relying on IIS authentication to pass them through to the active directory. I understand that you can use LDAP to accomplish the same thing, but as far as I know credentials cannot be passed through.

Perhaps it is in some way related to the error I get when I try to port it to ASP. I get error 80072020 (which I'm currently looking up).

The event logs show nothing out of the ordinary. No warnings, no errors. Full security auditing is enabled (success and failure on every item in the security policy), and it shows successful Windows logons for every user I authenticate against the web page (which is expected.)

Answer 1

Since you're using Windows Authentication in IIS, you may have some security events in the Windows Event log. I would check the Event log for Security Events as well as Application Events and see if you're hitting any sort of permissions issues.

Also, since you're basically just communicating to AD via LDAP...you might look into using the a native LDAP library for PHP rather than a COM.

You'll have to enable the extension probably in your php.ini. Worth looking at probably.

Answer 2

Well, if you want to use LDAP, let me point you to the LDAP authentication code we use for Maia Mailguard: look for the function named lauth_ldap

I think it requires ldap version 3, so you have to set that parameter for ldap. To verify the password, we use the ldap bind function to let the ldap server authenticate.

Answer 3

I'm no AD/COM/IIS expert, but it could be a permissions problem. e.g the IUSR_computername user does not have applicable access within the directory, or you're not binding as a specific user?

The alarm bell for me is the fact it runs ok from command line (e.g. running with your permissions) but fails on IIS (e.g. not your permissions).

Answer 4

It seems to be working now.

I enabled "Trust this computer for delegation" for the computer object in Active Directory. Normally IIS cannot both authenticate you and then subsequently impersonate you across the network (in my case to a domain controller to query Active Directory) without the delegation trust enabled.

You just have to be sure that it's authenticating using Kerberos and not NTLM or some other digest authentication because the digest is not trusted to use as an impersonation token.

It fixed both my PHP and ASP scripts.