How can I implement single sign-on (SSO) using Microsoft AD for an internal PHP app?

Question

I\'m vaguely aware that on a computer joined to a domain IE can be asked to send some extra headers that I could use to automatically sign on to an application. I\'ve got ap

Answer 1

For IIS/PHP FCGI, You need to send out an unauthorized header:

function EnableAuthentication()
{
    $realm = "yoursite";
    header('WWW-Authenticate: Digest realm="'.$realm.'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
    header("HTTP/1.1 401 Unauthorized"); 
    exit;
}

You can then get at the username with:

$winuser = $_SERVER["REMOTE_USER"];

I then make sure the $winuser is in my database of allowed users.

Be SURE and test this under a non-privileged account. When I first installed this I tested it and it worked fine, but later when a standard non-server-admin user tried it this failed. Turns out some of the temporary directories need to have permissions changed for guest users. I can't recall the exact settings.