I have PHP 5.6.17 and Apache 2.4.10 running on Debian 8.
I want to populate the PHP variable $_SERVER['REMOTE_USER']
with the Windows username, to log in the user if the username is in my database. I'm comfortable with the security risks involved in this method, as this will only be exposed on a local network.
Here is what I did in my Apache vhost definition:
<LocationMatch "/login/ssologin">
PerlAuthenHandler Apache2::AuthenNTLM
AuthBasicAuthoritative on
AuthType ntlm
AuthName "hello"
Require valid-user
PerlAddVar ntdomain "my.local"
PerlSetVar defaultdomain my.local
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmauthoritative off
PerlSetVar ntlmdebug 1
</LocationMatch>
I put the URL into the trusted sites on Internet Explorer, but I was still prompted for basic authentication.
What did I miss?
My only goal is to get the username of the windows session. Is there another, easier way?
First, your ntdomain
is incomplete. According to documentation, the variable is set like this:
PerlAddVar ntdomain "my.local PDC_NAME BDC_NAME"
Without a domain controller to authenticate against, the valid-user
requirement can never be met.
Second, Apache2::AuthenNTLM does not support NTLM version 2 authentication.
Since Windows Vista and Server 2008, NTLM version 2 has been used exclusively. Previous versions of Windows would fall back to version 1 if the server did not support version 2. Although you can modify the security policy to revert to the old behaviour, these are very dangerous.
As mentioned in this answer, there is a Python module that handles NTLM version 2 authentication. Obviously this will require installation of mod_python
but is fairly simple to configure.
Finally, configuring automatic login requires more than adding it to the Trusted Sites list. You should put it in the Intranet zone, and ensure that automatic login is enabled for this zone (e.g. medium-low security settings.)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With