Passing IIS Windows Authentication details from PHP login page to secured services

Anonymous User · ‎04-23-2014

I am using a PHP login page (in front of a map application) using Windows Authentication through IIS 7.5, and Active Directory manages the allowed users and their credentials. This login page starts a PHP Session to unlock all subsequent secure sites. However our web services need to be secured through our ArcGIS Server, so as users move onward they will be challenged for credentials again by the ArcGIS Server.

I am a newb and stuck at how the 'Negotiate' authentication from IIS (on the PHP site) can be used to also unlock the 'Web Tier' authentication on the ArcGIS Server so that users only enter their credentials once on the initial login page. This will be necessary for users not on the intranet. Is it possible? Maybe I should use this approach: hard code token.

Thanks for any thoughts!

RaymondGoins · ‎04-28-2014

Very weird. There is no need to pass session variables to other pages. As long as the session has been started you should be able to view them simply by calling them. can you post a bit of your code so I can take a look?

Ray

RaymondGoins · ‎04-28-2014

I just remembered another thing. You should make sure the path to the session data is writable by the server.

To find out the path you can run the phpinfo() function. A short ways down should be a section which looks like the image attached. go to the path and make sure the IUSR account has write access. Also since you will be using a php form and ldap to authenticate you should shut off windows authentication in the web server and use anonymous authentication.

You can change these values in the php.ini file. Don't forget to restart IIS to have them take effect.

Ray

Anonymous User · ‎04-28-2014

functions.php (this version stops and prints out the username if login is successful):

<?php
function login_check() {

 if (isset($_SESSION['IWP_loggedIn']) && $_SESSION['IWP_loggedIn'] === true && isset($_SESSION["IWPUser"])) {
  return true;
 } else {
  return false;
 }
}

function do_login($username, $password, $redirect) {

 $un = 'DOMAIN\\' . $username;
 // Needs the domain ie. mydomain\username
 $pw = $password;
 if (empty($un)) {
  header("Location: http://example.com/sandboxPHP/login.php?error=Username cannot be blank");
  exit();
 }
 if (empty($pw)) {
  header("Location: http://example.com/sandboxPHP/login.php?error=Password cannot be blank");
  exit();
 }
 $server = "example.com";
 //IP or name of server here
 if (!($ldap = ldap_connect($server))) {
  header("Location: http://example.com/sandboxPHP/login.php?error=Could Not Connect To Server");
  // can change these error messages
  exit();
 }
 if (!ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3)) {
  header("Location: http://example.com/sandboxPHP/login.php?error=Protocol Error with LDAP");
  exit();
 }
 if (!($res = @ldap_bind($ldap, $un, $pw))) {
  header("Location: http://example.com/sandboxPHP/login.php?error=Bind Error with LDAP");
  exit();
 } else {
  $_SESSION["IWP_loggedIn"] = true;
  $_SESSION["IWPUser"] = $un;
  // Make sure to use appended username with Domain
  echo $_SESSION["IWPUser"];
  //header("Location: " . $redirect);
 }
}

function do_logout($redirect) {
 session_destroy();
 header("Location: " . $redirect);
}
?>

Code before protected page:

<?php 
session_start(); 
echo $_SESSION["IWPUser"];

require('functions.php'); 
if(login_check() === false) 
{
echo 'issue'; 
 
  //header("Location: "); 
  exit(); 
} else { 
// rest of your page below 
}  ?>

Anonymous User · ‎04-28-2014

Folder permissions seem fine. The only way I got it to work was to give a session_id in the 'do_login.php' page, and then when I open a protected page call the session_id before starting the session. Otherwise, the protected page starts a new session, rather than resuming/continuing the session from previous pages. I have no idea what I have done to cause this.

* And yes, I have it set to anonymous

RaymondGoins · ‎04-29-2014

Add this to the top of your pages and see what you get.
[PHP]ini_set ("display_errors", "1");
error_reporting(E_ALL);[/PHP]

let me know if any error show.

Ray

Anonymous User · ‎05-09-2014

Sorry for the delay - no warning messages. I made a test redirecting between two basically blank pages, and it seems the issue was a setting in my php.ini file regarding cookies. Last night before leaving work I made some changes, and this morning the sessions are remaining open between header redirects. I think I had it set to not use cookies.

***
edit: Yes, apologies if this is a PHP no-brainer but specifically if in php.ini file 'session.use_cookies = 0', then the session is not saved between page redirects (Chrome, IIS 7.5)