I have a PHP website running as an App on IIS.
The app is using a specific Identity that runs all php-cgi.exe
processes under NetworkService
user that has access to the AD server.
There's also another .NET app in the IIS where it's using the same identity and can log into the AD using the class System.Web.Security.FormsAuthentication
and uses Forms Authentication
in the Authentication settings in IIS. I tried copying the settings over but to no avail.
The .NET code:
...
using System.Web.Security.Membership.ValidateUser;
...
public ActionResult Login(Login model, string route)
{
if (Membership.ValidateUser(model.Username, model.Password)) {
FormsAuthentication.SetAuthCookie(model.Username);
return Redirect(route);
}
return RedirectHome();
}
My code running on IIS with PHP CGI, impersonate is on on IIS level and php.ini
level:
public function login()
{
$ldapHost = 'ldap://spacemudd-ad';
// PHP should use server's (iis) credentials when connecting. (impersonate)
$connection = ldap_connect($ldapHost);
// This always fails.
//
// "ldap_bind(): Unable to bind to server: Can't contact LDAP server"
//
// I believe due to the php-cgi.exe not sending the request
// to the AD server through the IdentityPool's user (NetworkService)
// even though in the TaskManager, the php-cgi.exe shows the owner is
// NetworkService?
//
$ldapBind = ldap_bind($connection);
// TODO: Search the AD directory for the user to be authenticated.
}
php.ini
configuration:
fastcgi.impersonate = 1
ref. questions:
Setting permission for PHP (or I_USER [I'm not sure here...]) to connect to iisweb.vbs
https://serverfault.com/questions/313100/iis-forms-authentication-php-asp-net-server-side-login (didn't attempt but looks promising -- will attempt tomorrow)
PHP LDAP binding AD with the server's user account (doing
ldap_bind()
without setting credentials)
Update 24-11-2018: The sysadmin gave me these information:
config.md:
<add name="ADConnectionString" connectionString="LDAP://spacelantern-central/DC=spacelantern,DC=com" />
<membership defaultProvider="ADMembershipProvider">
<providers>
<clear />
<add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" />
</providers>
</membership>
code.md:
if (Membership.ValidateUser("userid", "password"))
{
//
}