View Full Version : PHP authenticate Windows account

11-29-2006, 02:31 AM
I posted a question in ASP forum but I really want to know your opinion in PHP because I'm more familiar with PHP than ASP .

I have a windows 2003 stand alone server . In this server I have some windows accounts and they all have passwords.
Now I have to create an intranet website on this server (IIS)
My question is how can I use accounts/password on the server to authenticate user through an PHP page ? Users have to enter their identity and the webpage log username and the time they login .

Thanks so much .

11-30-2006, 01:09 AM
Hi mate,
I'm not certain if php is capable of doing this or not. I am leaning a little more toward the not side, simply because it would be a little bit of a security issue if a language such as php can access the usernames and passwords stored in a server environment. It may be just me, but I think that it would be a little silly to allow something like this.
Good luck though mate, let us know if you find a solution!

ralph l mayo
11-30-2006, 01:33 AM
If you're talking about an active directory server here then yes, you can do it, but it's not particularly pretty. Typically the logic flow is:

1. Connect and bind to the LDAP server. If your intranet allows anonymous read only access yay, otherwise you'll need to get a dummy account set up that can search.

2. Search to discover the dn (distinguished name). Typically the login name users give will be the SAMAccountName, so you'll need to search your tree by SAMAccountName. Talk to your sysadmin or fire up an LDAP browser if you don't know what your tree looks like. This step will tell you whether the user exists.

3. Drop the connection and attempt to bind with the dn you discovered and the password supplied, and the result will tell you whether the user is authenticated.

The part that sucks about this is that the binding ops don't understand hashing, so unless this is strictly hobby-grade development you're going to want to establish SSL/TLS, which see ldap_start_tls() or failing that ldap_sasl_bind().

Edited to include the relevant functions from the docs