topic Passing IIS Windows Authentication details from PHP login page to secured services in ArcGIS JavaScript Maps SDK Questions

Passing IIS Windows Authentication details from PHP login page to secured services

Anonymous User — Wed, 23 Apr 2014 16:47:10 GMT

I am using a PHP login page (in front of a map application) using Windows Authentication through IIS 7.5, and Active Directory manages the allowed users and their credentials. This login page starts a PHP Session to unlock all subsequent secure sites. However our web services need to be secured through our ArcGIS Server, so as users move onward they will be challenged for credentials again by the ArcGIS Server.

I am a newb and stuck at how the 'Negotiate' authentication from IIS (on the PHP site) can be used to also unlock the 'Web Tier' authentication on the ArcGIS Server so that users only enter their credentials once on the initial login page. This will be necessary for users not on the intranet. Is it possible? Maybe I should use this approach: hard code token.

Thanks for any thoughts!

Re: Passing IIS Windows Authentication details from PHP login page to secured service

RaymondGoins — Thu, 24 Apr 2014 11:52:48 GMT

Do you have any code for this as of yet?? If you do please post. I am an experience PHP coder and should be able to help.

Ray

*EDIT*

try taking a look here
http://www.iis.net/learn/application-frameworks/install-and-configure-php-on-iis/enable-php-applications-to-make-application-level-access-control-decisions

Re: Passing IIS Windows Authentication details from PHP login page to secured service

Anonymous User — Sat, 11 Dec 2021 09:40:11 GMT

This is the login page. I am stuck at where to capture login information that IIS passes back during Windows Authentication:

<!DOCTYPE html>
<html>
 <head>
  <title>Secure Access</title>
 </head>

 <body>
  <?php
  // Start session to track this users identity
  session_start();
  // Make sure they aren't already in a session; if so, redirect to GIS Home
  // IWP_loggedIn is boolean, 'true'; if there is a session, credentials are already stored
  if ($_SESSION['IWP_loggedIn']) {
   // Redirect to the secure content (ArcGIS JavaScript app with secured ArcGIS Server services)
   // header("Location: http://example.com/gis.php");
   // TEST MODE: print the authorized user name
   echo $_SERVER['LOGON_USER'];
   // Make sure that code below does not get executed when we redirect
   exit();

  } else {
   // If no session is started and no authentication has been performed
   if (empty($_SERVER["LOGON_USER"])) {
    // If user is not in intranet, or browser is not enabled for SSO
    // IIS/browser prompt for credentials; this message is a stand-in for now
    echo "<h1>Please login with your credentials to access GIS data</h1>";
    // Create session logged-in variable to track user
    $_SESSION['IWP_loggedIn'] = TRUE;
    // Store credentials (how do I pass on username/password or key to the next site?)
    $_SESSION["IWPUser"] = $_SERVER["LOGON_USER"];
    //Redirect, credentials passed via PHP session
    // header("Location: http://example.com/gis.php");
    // TEST MODE: print the authorized user name
    echo $_SERVER['LOGON_USER'];
    // Make sure that code below does not get executed when we redirect
    exit();
    }

   // If user is on intranet and browser is enabled for SSO, automatic login occurs
   // "LOGON USER" field will be filled, auto-redirect to map
   if (!empty($_SERVER["LOGON_USER"])) {
    echo "Oh Joy!!!";
    // Create session logged-in variable to track user
    $_SESSION['IWP_loggedIn'] = TRUE;
    // Store credentials (how do I pass on username/password or key to the next site?)
    $_SESSION["IWPUser"] = $_SERVER["LOGON_USER"];
    // Redirect, credentials passed via PHP session
    // header("Location: http://example.com/gis.php");
    // TEST MODE: print the authorized user name
    echo $_SERVER['LOGON_USER'];
    // Make sure that code below does not get executed when we redirect
    exit();
   }
  }
  ?>
 </body>
</html>

Re: Passing IIS Windows Authentication details from PHP login page to secured service

Anonymous User — Sat, 11 Dec 2021 09:40:14 GMT

This is the PHP snippet in front of each JavaScript app with secured services. This code is to prevent users from directly typing in the app url and getting to the map instead of going through the login page. I need to add in an authentication part.

<?php
// Start session to track this users identity
session_start();
// Make sure they are logged in, if not redirect to login
// IWP_loggedIn is boolean, 'true'
if (!$_SESSION['IWP_loggedIn']) {
 // Redirect to the secure content
 header("Location: http://example.com/login.php");
 // Make sure that code below does not get executed when we redirect
 exit();
}
else {
 //talk to ArcGIS Server/Web Adaptor to tell it the users credentials
}
?>

Re: Passing IIS Windows Authentication details from PHP login page to secured service

Anonymous User — Thu, 24 Apr 2014 15:19:35 GMT

Raymond the link you provided as been very helpful, I think I need to be looking into Forms Authentication (not Windows)

Re: Passing IIS Windows Authentication details from PHP login page to secured service

RaymondGoins — Fri, 25 Apr 2014 13:16:13 GMT

We don't use a windows domain here but after some reading it seems the best solution is to use ldap. PHP requires you just un-comment the ldap.dll in php.ini and ldap is on by default in active directory. That being said I would put my functions in a separate file so that they may be used throughout your application.

functions.php
[PHP]
function login_check()
{
if (isset($_SESSION['IWP_loggedIn']) && $_SESSION['IWP_loggedIn'] === true && isset($_SESSION["IWPUser"])) {
    return true;
} else {
   return false;
}
}

function do_login($username, $password, $redirect)
{
$un = $username; // This may need to change. you may have to append the domain ie. mydomain\username
$pw = $password;
if(empty($un)) {
    header("Location: http://example.com/login.php?error=Username cannot be blank");
    exit();
}
if(empty($pw)) {
    header("Location: http://example.com/login.php?error=Username cannot be blank");
    exit();
}
$server = "ldaps://yourservernamehere"; //IP or name of server here
//echo $server;
if (!($ldap = ldap_connect($server))) {
    header("Location: http://example.com/login.php?error=Could Not Connect To Server"); // can change these error messages
    exit();
}
if (!ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3)) {
    header("Location: http://example.com/login.php?error=Could Not Connect To Server");
    exit();
}
if (!($res = @ldap_bind($ldap, $un, $pw))) {
    header("Location: http://example.com/login.php?error=Could Not Connect To Server");
    exit();
} else {
    $_SESSION['IWP_loggedIn'] = true;
    $_SESSION["IWPUser"] = $username;
    header("Location: ".$redirect);
}
}

function do_logout($redirect)
{
session_destroy();
header("Location: ".$redirect);
}[/PHP]

now you can require this file at the top of all your pages so that the functions can be used.
login.php
[HTML]<?php
$error = isset($_GET['error']) ? $_GET['error'] : "";
?>

<style type="text/css">
/* Login Form style */
#loginform {
font-size: 14px;
text-align: center;
width: 480px;
position: fixed;
/*display: none;*/
background-color: #EEEEEE;
border-radius: 13px;
border: 2px solid #3399CC;
top: 40%;
left: 36%;
z-index: 200;
box-shadow: 10px 10px 10px black;
}

#loginform .form_header
{
border-top-left-radius: 10px;
border-top-right-radius: 10px;
border-bottom: none;
width: 480px;
height: 30px;
line-height: 19px;
vertical-align: middle;
background-color: #3399CC;
text-decoration: none;
font-family: Times New Roman, Serif;
font-weight: 900;
font-size: 18px;
text-align: left;
padding-top: 5px;
color:   #FFFFFF;
cursor: default;
}

#loginform .form_body
{
width: 400px;
border: 1px solid black;
background-color: #FFFFFF;
}

#loginform .status
{
width: 400px;
margin: 10px auto 0 auto;
}

#loginform input {
margin: 5px;
padding: 0px;
float: left;
border: 1px solid #cdcdcd;
background-color: white;
border-radius: 2px;
}

/* 'Login' Button */
#submit {
margin: 5px;
padding: 0px;
float: left;
width: 50px;
background-color: white;
}
</style>
<div id="loginform" style="" >
<div class="form_header" id="popup_drag" >
    <span style="margin-left:5px;">Employee Login</span>
</div>
<div class="status">
    <fieldset>
    <legend align="center">Authentication</legend>
    <form id="login" name="login" method="post" action="/do_login.php" >
      <input type="hidden" name="redirect" value="/gis"/>
      <table align="center" width="300" border="0">
      <tr>
        <td width="80">Username</td>
        <td><input id="name" type="text" name="username"></td>
      </tr>
      <tr>
        <td>Password</td>
        <td><input type="password" name="password"></td>
      </tr>
      <tr>
        <td> </td>
        <td><input id="submit" class="login-submit" type="submit" name="submit" value="Login"></td>
      </tr>
      </table>
    </form>
    </fieldset>
</div><br><span style="color:red;"><?php echo $error;?></span>
</div>[/HTML]

do_login.php
[PHP]
session_start();
require('functions.php');
// Process login
$postdata = $_POST;
do_login($postdata['username'], $postadat['password'], $postdata['redirect']);[/PHP]
Very simple. You can add in some messages if you like.

Then at the top of all your pages just run a login check
[PHP]session_start();
require('functions.php');
if(login_check() === false)
{
header("Location: http://example.com/login.php");
exit();
} else {
// rest of your page below
}
[/PHP]

I have not tested every part of this but once you implement it you can post any errors here and I will help out best I can.
Don't forget to start all your pages with session_start(); just incase I forgot to add it to any of the pages. Also remember to change all your header locations.

Hope that gets you going.

Ray

Re: Passing IIS Windows Authentication details from PHP login page to secured service

Anonymous User — Mon, 28 Apr 2014 18:02:26 GMT

Ray that's great, I really appreciate it. I might use this and skip trying to auto-authenticate via Windows, just to simplify.

The login is working but I'm having trouble carrying the session variables over. When I put the PHP code in front of a protected website to run the 'login_check' function, I am able to log in (login.php) and get redirected back to the page but the $_SESSION is empty (it's failing at 'login_check' function), and I am then routed back to login again. I put 'session_start()" at the top of every page now, but its not seeming to store it.

Re: Passing IIS Windows Authentication details from PHP login page to secured service

RaymondGoins — Mon, 28 Apr 2014 18:42:41 GMT

Not sure if you copied and pasted everything but looking through my code I made a typo. 😞

do_login.php
[PHP]session_start();
require('functions.php');
// Process login
$postdata = $_POST;
do_login($postdata['username'], $postdata['password'], $postdata['redirect']);[/PHP]

This actually sends you in a loop because you would never get authenticated so the session is never set and you end up on the login page forever.

Let me know.

Ray

Re: Passing IIS Windows Authentication details from PHP login page to secured service

RaymondGoins — Mon, 28 Apr 2014 18:44:36 GMT

Also you do not need to put session_start() at the top of the functions.php page. since this is a required page the session has already been started by the parent page.

Ray

Re: Passing IIS Windows Authentication details from PHP login page to secured service

Anonymous User — Mon, 28 Apr 2014 18:46:14 GMT

I did catch that typo. I don't see the problem...If I don't redirect and just echo out the $_SESSION["IWPUser"] at the end of the login function, it shows up fine. As soon as I try to pass it to another page it disappears.

Re: Passing IIS Windows Authentication details from PHP login page to secured service

RaymondGoins — Mon, 28 Apr 2014 18:50:09 GMT

Very weird. There is no need to pass session variables to other pages. As long as the session has been started you should be able to view them simply by calling them. can you post a bit of your code so I can take a look?

Ray

Re: Passing IIS Windows Authentication details from PHP login page to secured service

RaymondGoins — Mon, 28 Apr 2014 19:02:48 GMT

I just remembered another thing. You should make sure the path to the session data is writable by the server.

To find out the path you can run the phpinfo() function. A short ways down should be a section which looks like the image attached. go to the path and make sure the IUSR account has write access. Also since you will be using a php form and ldap to authenticate you should shut off windows authentication in the web server and use anonymous authentication.

You can change these values in the php.ini file. Don't forget to restart IIS to have them take effect.

Ray

Re: Passing IIS Windows Authentication details from PHP login page to secured service

Anonymous User — Sat, 11 Dec 2021 09:40:16 GMT

functions.php (this version stops and prints out the username if login is successful):

<?php
function login_check() {

 if (isset($_SESSION['IWP_loggedIn']) && $_SESSION['IWP_loggedIn'] === true && isset($_SESSION["IWPUser"])) {
  return true;
 } else {
  return false;
 }
}

function do_login($username, $password, $redirect) {

 $un = 'DOMAIN\\' . $username;
 // Needs the domain ie. mydomain\username
 $pw = $password;
 if (empty($un)) {
  header("Location: http://example.com/sandboxPHP/login.php?error=Username cannot be blank");
  exit();
 }
 if (empty($pw)) {
  header("Location: http://example.com/sandboxPHP/login.php?error=Password cannot be blank");
  exit();
 }
 $server = "example.com";
 //IP or name of server here
 if (!($ldap = ldap_connect($server))) {
  header("Location: http://example.com/sandboxPHP/login.php?error=Could Not Connect To Server");
  // can change these error messages
  exit();
 }
 if (!ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3)) {
  header("Location: http://example.com/sandboxPHP/login.php?error=Protocol Error with LDAP");
  exit();
 }
 if (!($res = @ldap_bind($ldap, $un, $pw))) {
  header("Location: http://example.com/sandboxPHP/login.php?error=Bind Error with LDAP");
  exit();
 } else {
  $_SESSION["IWP_loggedIn"] = true;
  $_SESSION["IWPUser"] = $un;
  // Make sure to use appended username with Domain
  echo $_SESSION["IWPUser"];
  //header("Location: " . $redirect);
 }
}

function do_logout($redirect) {
 session_destroy();
 header("Location: " . $redirect);
}
?>

Code before protected page:

<?php 
session_start(); 
echo $_SESSION["IWPUser"];

require('functions.php'); 
if(login_check() === false) 
{
echo 'issue'; 
 
  //header("Location: "); 
  exit(); 
} else { 
// rest of your page below 
}  ?>

Re: Passing IIS Windows Authentication details from PHP login page to secured service

Anonymous User — Mon, 28 Apr 2014 21:37:17 GMT

Folder permissions seem fine. The only way I got it to work was to give a session_id in the 'do_login.php' page, and then when I open a protected page call the session_id before starting the session. Otherwise, the protected page starts a new session, rather than resuming/continuing the session from previous pages. I have no idea what I have done to cause this.

* And yes, I have it set to anonymous

Re: Passing IIS Windows Authentication details from PHP login page to secured service

RaymondGoins — Tue, 29 Apr 2014 11:16:11 GMT

Add this to the top of your pages and see what you get.
[PHP]ini_set ("display_errors", "1");
error_reporting(E_ALL);[/PHP]

let me know if any error show.

Ray

Re: Passing IIS Windows Authentication details from PHP login page to secured service

Anonymous User — Fri, 09 May 2014 14:53:03 GMT

Sorry for the delay - no warning messages. I made a test redirecting between two basically blank pages, and it seems the issue was a setting in my php.ini file regarding cookies. Last night before leaving work I made some changes, and this morning the sessions are remaining open between header redirects. I think I had it set to not use cookies.

***
edit: Yes, apologies if this is a PHP no-brainer but specifically if in php.ini file 'session.use_cookies = 0', then the session is not saved between page redirects (Chrome, IIS 7.5)