I am running PHP, Apache, and Home windows. I don't possess a domain setup, so I'd like my website's forms-based authentication to make use of the neighborhood user accounts database built-in to Home windows (I believe it's known as Mike).
I understand when Active Directory is setup, you should use the PHP LDAP module for connecting and authenticate inside your script, but without AD there's no LDAP. What's the equivalent for stand alone machines?
I've not found an easy solution either. You will find good examples using CreateObject and also the WinNT ADSI provider. But eventually all of them bump into
User authentication difficulties with the Active Directory Service Connects WinNT provider. I am not 100% sure however i guess the WSH/network connect approach has got the same issue.
Based on How you can validate user qualifications on Microsoft os's you need to use LogonUser or SSPI.
Additionally, it states
Therefore, basically were certain Win9x/2000 support is not needed, I'd write extra time that exposes LogonUser to php.LogonUser Win32 API doesn't need TCB privilege in Microsoft Home windows Server 2003, however, for downlevel compatibility, this remains the ultimate way.
On Home windows XP, it's no more needed that the process possess the SE_TCB_Title privilege to be able to call LogonUser. Therefore, the easiest approach to validate a user's qualifications on Home windows XP, would be to call the LogonUser API.
You could also want to consider User Authentication from NT Accounts. It uses the w32api extension, and requires a support dll ...I'd rather write that small LogonUser-extension -)
In the event that's not achievable I'd most likely consider the fastcgi module for IIS and just how stable it's and allow the IIS handle the authentication.
I have also attempted to make use of System.Security.Principal.WindowsIdentity and php's com/.internet extension. However the dotnet constructor does not appear to permit passing parameters towards the objects constructor and my "experiment" to find the set up (with it CreateInstance()) from GetType() has unsuccessful by having an "unknown zval" error.
I have with all this some thought... and that i can't think about a great choice. Things I can think about is really a horrible horrible hack that simply might work. Having seen that nobody has published an response to this for pretty much each day, I believed a poor, but working answer could be ok.
The Mike file is not allowed as the product is running. You will find some DLL Injection methods which you might have the ability to get working but ultimately you'll just finish track of password hashes and you'd need to hash the consumer provided passwords to complement against them anyway.
What you want is one thing that attempts to authenticate the consumer from the Mike file. I believe this can be done by doing something similar to the next.
- Produce a File Share around the server making it to ensure that only accounts you want to have the ability to sign in much like granted use of it.
- In PHP make use of the system command to invoke a wsh script that: mounts the proportion while using password the website user provides. records whether it works, after which unmounts the drive whether it does.
- Collect the end result in some way. The effect can result in came back to php either around the stdout from the script, or hopefully while using return code for that script.
I understand it isn't pretty, however it should work.
Personally i think dirty :
Edit: reason behind invoking the exterior wsh script is the fact that PHP does not permit you to use UNC pathways (so far as I'm able to remember).