I have created some PHP-based intranet resources that require users to log in. The users create their own logins, and I verify that they are logged in using a cookie.
I’ve been asked if I can tie that login to their Windows login instead. My initial response was “a web page cannot access your Windows login – that would be a security risk.” But one of our departments uses Sharepoint, and it does in fact tie itself to the Windows login.
How is that done? Can I do it in PHP? If so, why is it not a horrible security hole?
What you are looking for is NTLM authentication against the PHP website, which is perfectly doable but seems there is no single way in PHP to do it.
You also need to add the sites to your trusted sites in IE (or the equivalent in whichever browser you are using) and in the settings for trusted sites, turn on ‘send current username and password’.
Its not a horrible security hole because the credentials are not sent en clair over the wire, and the end user has specifically told the browser to send credentials to the website in question.
PHP has LDAP support, so you can access Windows’ Active Directory
There is this project on SourceForge:
adLDAP – “LDAP Authentication with PHP for Active Directory”
Often times this is done using a combination of LDAP and NTLM. Browsers like IE and Firefox can do NTLM authentication, which I believe is how Sharepoint works. I run a Java-based portal application that uses LDAP for syncing users and NTLM for authentication.
What you absolutely do not want to do is have the user enter their domain username and password into the browser. In years past I’ve seen several projects using this approach with LDAP to authenticate Windows users. You’re correct, it is a security concern. The user should enter his or her password only once: when logging in to the workstation. The last thing you want are passwords sitting around in cache / temp files.
I apologize that I can not provide a “here’s how you do it with a PHP app” answer. As far as I know, there is no one answer to this problem.
(One thing I have done in the past, and I never really checked to see if it was valid or poor form, was to use PHP from IIS. If you’re using IIS, then PHP will populate the server variable REMOTE_USER with the Windows user’s username (DOMAIN\user). It worked for what I was doing at the time.)