> -----Original Message----- > From: winnesoup [mailto:adsl274570@xxxxxxxxxx] > Sent: January 30, 2005 18:16 > To: Manuel Lemos; php-windows@xxxxxxxxxxxxx > Subject: Re: Re: NT username detectable? > > > It's unbelievable. This question is freaking me out for a > year or so and > when I started looking again for a solution Manuel made this > post. Hopefully > we will finally get to an answer!!! > > The internet is FULL of "supposed to be solutions" to this > questions, but so > far I came out with ZIP/ NADA. Nowhere a COMPLETE and > exhaustive description > of sth that worked. > > Manuel states it right. Why authenticate AGAIN if you are allready > authenticated by our beloved Microsoft network ? (NTLM). > > Let's just kick some xss! Let us describe how to do it and > place it as a > howto somewhere on the internet. > > Think of configurations like > WebServer OS: WinXP > WebServer: Apache 2 (without NTLM authentication --> no .so > file found from > authenNtlm and Mod_ntlm grumbl) > Clients: WinXP > Network: win 2003 with AD > > I think Manuel has also something like this otherwise he > would'nt be talking > about retrieving by COM. > > I can give some hints that did not work for me: > - trying locally to read %USERNAME% --> did not get it read locally > (clientside) > - $obj = new COM ("ADSystemInfo") + echo $obj.Username ==> > exception error > > sth that MIGHT work: > - use an IIS server to get authenticated --> there are some > server variables > that you can read in ASP > http://msdn.microsoft.com/library/default.asp?url=/library/en- > us/iissdk/html/21b3be8f-d4ed-4059-8e21-6cba2c253006.asp > now try to pass the variables needed to PHP. Can be done by > hidden field in > a form. Use javascript to submit the form onload > ==> this is going to be my next adventure on this level........ > > But it all comes down to the following: > - if you are using apache webserver in windows network there > are NO working > examples to be found on the internet for single signon (at > least, not that I > found). > > Somebody more ideas?? > > feedback greatly appreciated. > > > > ----- Original Message ----- > From: "Manuel Lemos" <mlemos@xxxxxxx> > To: <php-windows@xxxxxxxxxxxxx> > Sent: Saturday, January 29, 2005 9:05 PM > Subject: Re: NT username detectable? > > > > Hello, > > > > "Christian Fersch" <Chronial@xxxxxx> wrote in message > > news:20040902232827.70249.qmail@xxxxxxxxxxxxxxx > > > GHaider@xxxxxxxxxx wrote: > > > > > > > In the html headers, the server sees the clients OS, > user agent, IP > > > > address etc. Is there a way on a local LAN a server > might be able to > > know > > > > the username of the client that sends a request? > > > > > > > > I've checked all $_SERVER variables, PHP_AUTH_USER etc > require the > auth > > > > box to be displayed. I'm thinking it might be possible > to know which > > user > > > > is logged in when the request is made, possibly by > using COM or even > > > > (gasp) .NET, without having to ask the user his username. > > > > > > > > Any ideas if this can be accomplished at all? > > > > > > > > Right now we have Firefox clients and Apache with PHP > in an Active > > > > Directory domain with NT4 compatibility, but we can > move to IE6 with > > > > IIS+PHP if that will work. > > > > > > > > > This isn't possible with php on its own (would be deep > impact into your > > > privacy if it could, wouldn't it?). So you've got 2 choices: > > > switch to IE and use a security hole :> > > > > Mozilla and Firefox already support NTLM authentication on Windows. > > > > If you configure the Web servers (IIS or even Apache not > necessariliy on > > Windows) to require NTLM authentication , either Internet > Explorer or > > Mozilla or Firefox will dialog with the server to > authenticate via NTLM > > and no password is asked to the user that has logged in the > same Windows > > domain. > > > > A PHP script for a page that requires NTLM authentication > can obtain the > > authenticated user name using GetEnv("LOGON_USER"); . > > -- > > > > Regards, > > Manuel Lemos Try this site. I've set it up in a test environment and it seems to work http://twiki.org/cgi-bin/view/Codev/WindowsInstallModNTLM -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
