1

Not entire sure wehtier to ask this question on StackOverflow (semi programming related) or here. I figure as most of my question deals with server side issues, I'll ask first on Serverfault. Please relocate the question if needed.

I have a website on IIS 6 written with PHP (FastCGI). The website is SSL secured and used internally and externally with users logging into the site from each type of network. All users are in the AD who need access to the site and the current method works fine for authentication purposes. The current logon scenario is a standard page with HTML form posting back username/PW to an ldap authentication function. In this authentication, I populate a session variable (PHP) with a serialized array of the users AD groups for use in other parts of the application. I must be able to retrieve a listing of the groups for use.

I have been tasked to make this system automatically login a user if they are connecting to it from within the domain/network. With Integrated Authentication (only) enabled, this works fine albeit with a few caveats I am trying to solve now. With the integrated authentication, no password is crossing the wire (fine) but this renders my ldap authentication function (which populates a variable with the users AD groups) useless! I still NEED those groups for use in other parts of the application.

I have read a few articles and questions/answers on ServerFault/StackOverflow regarding integrated authentication, but I still have questions.

  • If a user tries to login to the system from a computer that is not on the allowed domain, does IIS fallback to any other form of authentication or serve a 403?

  • Is there a way to get the 'Member of' attribute of a user (in PHP/other web scripting languages) without using ldapBind which requires a password (not sent with integrated logon. ldap_get_entries requires a previous search resource which must be bound as above)

  • Completely ignoring integrated authentication, the core question is- Can a local intranet user be automatically logged into the website without prompting, while the non intranet users be prompted for username/password (weither this is standard login form web page, or a popup from the browser)

If the above answer is yes, an elaboration on HOW would be greatly appreciated.

Community
  • 1
PenguinCoder
  • 499
  • 2
  • 6
  • 17

1 Answers1

4

We had a similar request come up for some applications at my old job. We solved it through the use of a special utility-account that had enough rights to read group memberships, but that was about it. The application flow worked something like this:

  1. User hits the site.
  2. Integrated login happens.
  3. Backend code processes the login, and connects to AD with the programmed utility user.
  4. Backend code queries AD for the group memberships of the just-logged-in user.

At that point the group memberships are available to code. The key here is that it is a dedicated utility account doing the information fetching, the server is not impersonating the user the way you're doing now with basic-auth.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • Good answer, thanks for the reply. Could you elaborate a bit further on how you got the utility AD user to process the search/member groups of the 'just-logged-in-user' ? In my recent tests, with attempting to use the utility account the `ldap_search` only returns the utility accounts groups/attributes, regardless of username to search for. – PenguinCoder Sep 05 '12 at 20:57
  • @PenguinCoder We wrote in .net not php so the methods are completely different. – sysadmin1138 Sep 05 '12 at 21:22