Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Example of use #3

Closed
jmvelasco opened this issue Jun 1, 2015 · 4 comments
Closed

Example of use #3

jmvelasco opened this issue Jun 1, 2015 · 4 comments

Comments

@jmvelasco
Copy link

Hello,

It looks like a great library but I can't figure out what parameters set in to the ntlm_prompt() call.

My goal is the user is directly logged without question for the user, but to the AD.
My apologies, but I am quite new on this NTLM stuff.

Let's say my base DN is COM.CITY, so I use this parameters:

$testWebsite = "http://desired/place/to/go/after/login";
$testDomain = "COM.CITY";
$myComputer = ? // I could guess the IP
$testDomainLocal = "COM.CITY";
$myComputerLocal = ? // I could guess the IP

$auth = ntlm_prompt($testWebsite , $testDomain, $myComputer, $testDomainLocal, $myComputerLocal, "get_ntlm_user_hash");

I don't know what *Local stands for and I doubt if the computer value could be its IP.

I'll appreciate your clarifications.

Thank you.
@loune
Copy link
Owner

loune commented Jun 2, 2015

myComputer is just the netbios name of the web server, but you could really make it anything that's alpha-numeric.

@jmvelasco
Copy link
Author

Thanks for your replay loune.

I have changed the parameters to:

$auth = ntlm_prompt("http://redirect/site/after/login", "DOMAIN", "IIS_SERVER_HOST", "DOMAIN", "IIS_SERVER_HOST", "get_ntlm_user_hash");

The DOMAIN I have set is the same that is shown at the Windows Security popup below the user and password boxes.

I can't understand why we have to pass the domain and the computer twice. What is the difference with .local? I am setting the same values for both. Is that wrong?

On the callback function, for the moment I have hardcoded my user/password in the array.

I have added log messages and what I see is the check

if ($msg[8] == "\x01") {

at line 216 is never true. Here is the log output: https://gist.github.com/jmvelasco/6315bdb238fbb13195f6

I am on a Server 2008 RS2 server with IIS 7.0 and the following settings:

  • IIS Authentication: Windows Authentication Only
    • Extended protocol Off
    • Enable Kernel-mode authentication
    • Providers:
      - Negotiate
      - NTLM
  • On the IE browser I have defined for the custom level at trusted zone the User Authentication - Logon to "automatic logon with current user name and passoword"

By the way, without your library and the settings described above I get the logged user with the sentence:
$user = $_SERVER['AUTH_USER'];

I would love to understand why I can't make to work your code.

Thanks in advance.

Regards.

@loune
Copy link
Owner

loune commented Jun 3, 2015

If you are using IIS, there's no need to use my script as IIS has native NTLM. As you found out, you can just get the username using $_SERVER['AUTH_USER']. This library is mainly for people who use nginx and apache, and on a server outside their domain.

@jmvelasco
Copy link
Author

Great, I have found I coudn't get the headers from IIS, so the user-login popup was always shown.
I like your library by the way, good work!. Congrats.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@loune @jmvelasco