NTLM 身份验证 - 在 PHP 中获取 Windows 登录名、域和主机 [英] NTLM Authentication - Get Windows login, domain and host in PHP
问题描述
我正在开发单点登录 (SSO) PHP 应用程序.
用户登录他们的 Windows 会话,并且他们希望使用他们的 Windows 帐户(与 LDAP Active Directory 连接)自动登录应用程序.
I am working on a Single Sign-On (SSO) PHP application.
Users log in their Windows session, and they want to be automatically logged in the application with their Windows account (connected with LDAP Active Directory).
我试过这个脚本:
<?php
$headers = apache_request_headers(); // Récupération des l'entêtes client
if (@$_SERVER['HTTP_VIA'] != NULL){ // nous verifions si un proxy est utilisé : parceque l'identification par ntlm ne peut pas passer par un proxy
echo "Proxy bypass!";
} elseif(!isset($headers['Authorization'])) { //si l'entete autorisation est inexistante
header( "HTTP/1.0 401 Unauthorized" ); //envoi au client le mode d'identification
header( "WWW-Authenticate: NTLM" ); //dans notre cas le NTLM
exit; //on quitte
}
if(isset($headers['Authorization'])) //dans le cas d'une authorisation (identification)
{
if(substr($headers['Authorization'],0,5) == 'NTLM '){ // on vérifit que le client soit en NTLM
$chaine=$headers['Authorization'];
$chaine=substr($chaine, 5); // recuperation du base64-encoded type1 message
$chained64=base64_decode($chaine); // decodage base64 dans $chained64
if(ord($chained64{8}) == 1){
// |_ byte signifiant l'etape du processus d'identification (etape 3)
// verification du drapeau NTLM "0xb2" à l'offset 13 dans le message type-1-message (comp ie 5.5+) :
if (ord($chained64[13]) != 178){
echo "NTLM Flag error!";
exit;
}
$retAuth = "NTLMSSP".chr(000).chr(002).chr(000).chr(000).chr(000).chr(000).chr(000).chr(000);
$retAuth .= chr(000).chr(040).chr(000).chr(000).chr(000).chr(001).chr(130).chr(000).chr(000);
$retAuth .= chr(000).chr(002).chr(002).chr(002).chr(000).chr(000).chr(000).chr(000).chr(000);
$retAuth .= chr(000).chr(000).chr(000).chr(000).chr(000).chr(000).chr(000);
$retAuth64 =base64_encode($retAuth); // encode en base64
$retAuth64 = trim($retAuth64); // enleve les espaces de debut et de fin
header( "HTTP/1.0 401 Unauthorized" ); // envoi le nouveau header
header( "WWW-Authenticate: NTLM $retAuth64" ); // avec l'identification supplémentaire
exit;
} else if(ord($chained64{8}) == 3) {
// |_ byte signifiant l'etape du processus d'identification (etape 5)
// on recupere le domaine
$lenght_domain = (ord($chained64[31])*256 + ord($chained64[30])); // longueur du domain
$offset_domain = (ord($chained64[33])*256 + ord($chained64[32])); // position du domain.
$domain = str_replace("\0","",substr($chained64, $offset_domain, $lenght_domain)); // decoupage du du domain
//le login
$lenght_login = (ord($chained64[39])*256 + ord($chained64[38])); // longueur du login.
$offset_login = (ord($chained64[41])*256 + ord($chained64[40])); // position du login.
$login = str_replace("\0","",substr($chained64, $offset_login, $lenght_login)); // decoupage du login
$lenght_host = (ord($chained64[47])*256 + ord($chained64[46]));
$offset_host = (ord($chained64[49])*256 + ord($chained64[48]));
$host = str_replace("\0","",substr($chained64, $offset_host, $lenght_host));
if ( $login != NULL){
echo $login;
} else {
echo "NT Login empty!";
}
}
}
}
?>
此脚本正在处理此配置:
This script is working on this configuration :
- Windows 服务器 2003
- 带有 mod_auth_sspi 模块的 Apache 2.2
但是现在我需要在这个配置上实现它并且它不起作用:
But now I need to implement this on this configuration and it does not work :
- Windows 服务器 2008
- 带有模块 mod_authnz_sspi 的 Apache 2.4.6
由于这种情况,我不断收到NTLM 标志错误!":
I keep getting "NTLM Flag error!", because of this condition :
if (ord($chained64[13]) != 178){
echo "NTLM Flag error!";
exit;
}
我试过了:
if (ord($chained64[13]) != 130){
因为 ord($chained64[13]) 返回 130,但我不能在这种情况下进入:
because ord($chained64[13]) returns 130, but I can not go in this condition :
} else if(ord($chained64{8}) == 3) {
$lenght_domain = (ord($chained64[31])*256 + ord($chained64[30])); // longueur du domain
$offset_domain = (ord($chained64[33])*256 + ord($chained64[32])); // position du domain.
$domain = str_replace("\0","",substr($chained64, $offset_domain, $lenght_domain)); // decoupage du du domain
//le login
$lenght_login = (ord($chained64[39])*256 + ord($chained64[38])); // longueur du login.
$offset_login = (ord($chained64[41])*256 + ord($chained64[40])); // position du login.
$login = str_replace("\0","",substr($chained64, $offset_login, $lenght_login)); // decoupage du login
$lenght_host = (ord($chained64[47])*256 + ord($chained64[46]));
$offset_host = (ord($chained64[49])*256 + ord($chained64[48]));
$host = str_replace("\0","",substr($chained64, $offset_host, $lenght_host));
if ( $login != NULL){
echo $login;
} else {
echo "NT Login empty!";
}
}
因为 ord($chained64{8}) 总是返回 1.
Because ord($chained64{8}) always returns 1.
编辑 2015-05-11:
Edit 2015-05-11 :
我尝试在 php 中执行 'whoami' 命令,如下所示:
echo exec('whoami');-> 当我在 cmd.exe 中执行此命令时,我得到当前登录的用户,但是当我在 PHP 中执行它时,我得到了 nt_authority/system.
I tried executing the 'whoami' command in php, like this :
echo exec('whoami');-> when I execute this command in cmd.exe, I get the current logged user, but when I execute it in PHP, I get nt_authority/system.
我认为当 PHP 执行 'whoami' 命令时,Windows 会检查 Apache 服务的登录信息.我进入 Apache 属性,在登录"选项卡中,以 Active Directory 的有效用户身份登录.但是,当 PHP 执行 echo exec('whoami'); 时,我只得到用于 Apache 的登录名,而不是当前用户.
I supposed that when PHP executes the 'whoami' command, Windows checks the login of Apache service. I went into Apache properties, in the 'Log On' tab, to log on as a valid user of the Active Directory. But then, when PHP executes echo exec('whoami');, I only get the login used for Apache, and not the current user.
我使用 Internet Explorer 8 来执行 PHP 脚本.
I am using Internet Explorer 8 to execute the PHP script.
我的 Apache httpd.conf 中有这个(_PATH_ 是我的 php 文件的路径,也许这是错误的?):
I have this in my Apache httpd.conf (_PATH_ is the path to my php files, maybe this is wrong ?) :
<目录E:/_PATH_">选项 无允许覆盖所有命令允许,拒绝所有人都允许AuthName "SSPI 保护的地方"身份验证类型 SSPISSPIAuth 开启SSPI权威开启SSPIOffer基本开SSPIOmitDomain 开启需要有效用户</目录>
编辑 2015-05-12 :
Edit 2015-05-12 :
我在机器上以域用户身份登录
I am logged as a domain user on the machine
当我尝试使用 Firefox 时,会提示我输入登录名和密码.当我发布提示时,脚本从提示中获取登录名,但这不是我想要做的:我必须让它与 IE 一起使用,而且我不想再次输入登录名和密码.我想要当前 Windows 会话的登录信息.
When I try with Firefox, I get a prompt for a login and a password. When I post the prompt, the script gets the login from the prompt, but this is not what I want to do : I have to get this to work with IE, and I don't want to type again login and password. I want the login of the current Windows session.
在 Firefox 中,感谢 @ThaDafinser,我进入 about:config 将 network.automatic-ntlm-auth.trusted-uris 设置为我的域.现在我在 Firefox 中不再收到提示并且一切正常,但我总是需要让它在 IE 上运行.
In Firefox, I went into about:config to set network.automatic-ntlm-auth.trusted-uris to my domain, thanks to @ThaDafinser. Now I do not get a prompt anymore in Firefox and everything works, but I always need to make it work on IE.
在 IE 中,我将本地内联网安全设置为最低,但没有任何变化.
In IE, I set Local Intranet Security to the lowest, but nothing changed.
在 IE 中,为本地 Intranet & 选中使用当前用户名和密码自动登录".受信任的站点.
In IE, "Automatic logon with current user name and password" is checked for Local Intranet & Trusted Sites.
当我强制 IE 在提示中询问凭据时,如果我发布提示,IE 不会返回凭据,这与 Firefox 不同.
When I force IE to ask credentials in a prompt, if I post the prompt, IE does not return the credentials, contrary to Firefox.
编辑 2015-05-13 :
Edit 2015-05-13 :
我在 IE 中添加了受信任站点的 URL,没有任何变化.
I added the URL to trusted sites in IE, nothing changed.
我将可信站点的安全设置为低,没有任何改变.
I set security to low for trusted sites, nothing changed.
我在 IE > Internet 选项 > 高级中取消选中通过代理连接使用 HTTP 1.1",即使我使用提示,我仍然无法在 Internet Explorer 上获得会话信息.
I unchecked "Use HTTP 1.1 through proxy connections" in IE > Internet Options > Advanced, I still can not have session informations on Internet Explorer, even if I use the prompt.
我在 Internet Explorer > Internet 选项 > 安全 > 本地 Intranet > 站点 > 高级中添加了完整 URL
I added the full URL in Internet Explorer > Internet Options > Security > Local Intranet > Sites > Advanced
在 Internet Explorer > Internet 选项 > 安全 > 本地 Intranet > 站点 > 高级中,我还添加了域 (mycompany.com) 的相同部分,与我在 Firefox 中添加的部分相同,以使其工作,但这确实没有帮助.
In Internet Explorer > Internet Options > Security > Local Intranet > Sites > Advanced, I also added the same part of the domain (mycompany.com) than I have added in Firefox to make it work, but this did not help.
编辑 2015-05-18 :
Edit 2015-05-18 :
根据@timclutton 在他的回答中所说的,将我的 httpd.conf 更改为与 Apache 2.4 兼容:
Changed my httpd.conf to be compatible with Apache 2.4, according to what @timclutton said in his answer :
<Directory "E:/_PATH_">
Require all denied
AllowOverride All
Options None
AuthName "SSPI Authentication"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOmitDomain On
Require valid-user
Require user "NT AUTHORITY\ANONYMOUS LOGON" denied
</Directory>
编辑 2015-05-19 :
Edit 2015-05-19 :
我尝试设置 SSPI 的基本身份验证,但它不起作用.
I tried to set a basic authentication intead of SSPI and it does not work.
AuthType 基本AuthName需要身份验证"AuthUserFile "E:/PATH/.htpasswd"需要有效用户
AuthType Basic AuthName "Authentication Required" AuthUserFile "E:/PATH/.htpasswd" Require valid-user
订单允许,拒绝所有人都允许
Order allow,deny Allow from all
推荐答案
当我尝试使用 Firefox 时,会提示我输入登录名和密码.当我发布提示时,脚本从提示中获取登录名,但这不是我想要做的:我必须让它与 IE 一起使用,而且我不想再次输入登录名和密码.我想要当前 Windows 会话的登录信息.
When I try with Firefox, I get a prompt for a login and a password. When I post the prompt, the script gets the login from the prompt, but this is not what I want to do : I have to get this to work with IE, and I don't want to type again login and password. I want the login of the current Windows session.
您可以通过更改 Firefox 设置来删除提示:
You can remove the prompt, by changing the Firefox settings:
- 在地址栏中输入:about:config"
- 检查 network.automatic-ntlm-auth.trusted-uris
- 将值设置为您的域或域的一部分,例如 mycompany.com(用逗号分隔多个值)
对于 IE,您需要将页面(内联网)的安全设置设置为低于 Internet 其他部分的安全设置.请参阅 https://superuser.com/questions/148063/why-does-internet-explorer-keep-asking-me-for-ntlm-credentials-in-an-intranet-zo
For IE you need to set the security settings for your page (intranet) lower than for the rest of the internet. Please see https://superuser.com/questions/148063/why-does-internet-explorer-keep-asking-me-for-ntlm-credentials-in-an-intranet-zo
这篇关于NTLM 身份验证 - 在 PHP 中获取 Windows 登录名、域和主机的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
