IIS, php, kerberos and multi-hop

Michael B Allen mba2000 at ioplex.com
Mon Dec 4 17:23:10 EST 2006


Hi Dave,

What you are talking about is called "delegation".

Yes, you need to at least send a base 64 encoded token to the second HTTP
server. But unless Win32 curl knows about SSPI (no idea) you probably
can't do it without writing an extension in C.

The problem is that you need to call SSPI routines to get the token and
AFAIK PHP does not have an extension for SSPI.  And even if you did write
an extension it remains to be seen if you have access to the credential
cache of the logon session (I ran into that problem with someone using
Tomcat because it runs as a separate process and ended up bypassing IWA
doing SPNEGO auth on the Java side from scratch).

If you would like to use Linux instead, the next version of our PHP SSO
product will be able to do everything you want and then some.

Otherwise you could try use an ASP to get the data and then somehow
invoke the PHP script with the data (maybe, shrug).

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/

On Mon, 04 Dec 2006 17:45:53 +0000
Dave Gudgeon <DaveG at jadu.co.uk> wrote:

> Hi,
> 
> I am currently developing a web application for a windows 2003 server 
> running kerberos and wondered if anyone could help me out. I am using 
> integrated windows authentication to provide single sign on for my php 
> application running on IIS. The problem I am having is that I need to 
> request data from a second server and maintain the access rights of the 
> user logged in to my application. I understand this is called multi-hop 
> authentication and is quite a common issue. The research I have 
> conducted leads me to believe that I need to pass kerberos tokens to the 
> second server along with my HTTP request, is this correct? I have been 
> able to find very little information about the structure of these 
> tokens, or how I can access them via php.
> 
> If you have any documentation / APIs / resources that you could 
> recommend or any advice to help me in the right direction it would be 
> most appreciated.
> 
> Many thanks
> 
> Dave Gudgeon
> 
> 
> 
> -- 
> Dave Gudgeon
> Software Engineer
> 
> Jadu announces the content management revolution with Jadu Galaxies
> Find out how you can design, deploy and devolve web content management - no technical skills required:
> http://www.jadu.co.uk/galaxies
> 
> --
> Jadu Limited,
> Development Centre: LCB, 31 Rutland Street, Leicester LE1 1RE
> Main office: PO Box 2554, Rugby, Warwickshire CV21 4ZE
> 
> T: 0116 253 3423 F: 0116 253 3424 
> 
> http://www.jadu.co.uk
> --
> ISO 9001:2000 registered firm GB2001425
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



More information about the Kerberos mailing list