2009-09-07 14:53
浏览 191

使用Kerberos进行PHP Active Directory身份验证

I'm currently integrating a CMS (developed in PHP) authentication with Active Directory. This specific Active Directory only allows authentication through Kerberos, or ldaps:// (but this last one is not the most wanted since I'll have to use absolute paths).

I've been searching the web for anything about PHP AD Kerberos Authentication, but found nothing. Can anyone point me in the right direction?

Thanks in advance.

图片转代码服务由CSDN问答提供 功能建议

我目前正在将CMS(用PHP开发)身份验证与Active Directory集成。 这个特定的Active Directory只允许通过Kerberos或ldaps://进行身份验证(但最后一个不是最需要的,因为我必须使用绝对路径)。

我已经 一直在网上搜索有关PHP AD Kerberos身份验证的任何信息,但一无所获。 有人能指出我正确的方向吗?


  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

3条回答 默认 最新

  • duanguanye4124 2009-09-07 15:02

    Not freeware solution - google by 'Plexcel' keyword

    解决 无用
    打赏 举报
  • duandu5846 2010-02-20 07:00

    If you are using Active Directory, its possible your webserver is IIS, which has inbuilt kerberos*.. then just let the browser & webserver handle the authentication and use some PHP like:

    $user = isset($_SERVER['AUTH_USER']) ? $_SERVER['AUTH_USER'] : false; 
    if((false === $user) or ('' == $user)){
    //Divert to incorrect password page.. 
    //MSIE typically tries three times, Kerb/NTLM/Plain
    //FF will only try NTLM/Plain if configured for NTLM
    //Chrome.. won't work with this at all.. not that I have discovered.
    //If testing locally using Apache, user will be 0

    Now you can do SSO using Kerberos, works a charm.

    *: Called "Integrated Windows Authentication" http://support.microsoft.com/kb/324274 and must be enabled in browser by setting "Security Zone" to "Local Intranet".. which may happen if the IIS box is actually on the Local Intranet.. but it depends on the SPN and the domain the User's box and IIS box and any trust relationships.. if its on a single domain with the domain name/machine name the same it should work. If you are clustering or anything fun, expect a major headache, rather than just a normal headache. You can script/GPO the IE settings if you feel the need..

    Hopefully you are asking about something else.. If I prayed it would be that you didn't implement this, it causes the whole authentication process for every single request.. which turns out slows down every page load.. no matter how many aggregations/hacks/workarounds you implement.. it was just a bad idea, but once you start or tell a manager about it, they really love it because it saves them having to login again.. oh, they will still complain about speed, but..

    解决 无用
    打赏 举报
  • dongtuliao6760 2013-05-07 19:25

    There's a krb5 module for PHP. It has a PECL entry although no packaging yet. You can find out more about it here:


    解决 无用
    打赏 举报

相关推荐 更多相似问题