Accessing Exchange 2003 Using PHP

What type of account are you authenticating with?

Not quite sure what you are asking here. The account is an exchange account for a test AD user "Robin-Tester" in the domain. I have confirmed that I can authenticate using OWA with both Firefox and IE. I have tried with various combinations such as "Robin-Tester", "Robin-Tester@domain" and "domain\Robin-Tester".

Slightly offtopic, as this is not a PHP solution:
In a recent project we used an ASP.Net proxy script that used the EWS Managed API from microsoft that wraps the webservices that Outlook web access uses to access Exchange. The proxy just converts REST calls to API calls and works like a charm in reading and writing to calendars from PHP.

Thinking outside the box, older versions of Mac Entourage (Microsoft product) I've worked with connect through WebDav too & they require case-sensitivity for the domain and username as well as the password (of course).   Your "domain\Robin-Tester" is correct format, but is it case-sensitive matching the domain name as presented at the top of the Active Directory Users and Computers tree?

Barthax Interesting call. I have checked it and no it isn't an issue of case. Thanks for posting though.

Roonaan, I'm working very much at the limit of my knowledge on this project. Your post sounded interesting but I have to confess most of it is new to me. I've browsed a bit but doesn't this need exchange 2007?

Yes, sorry. I had to check, but our environment is indeed using an 2007 server. I made a wrong assumption that it was a 2003 one.

OK thanks for trying.

Depending upon what you want to do, you could use the Outlook Redemption DLL (http://www.dimastr.com/redemption/) via PHP's COM mechanism.

Essentially Outlook Redemption is an interface to allow you to talk to Exchange Server, just like MS Outlook does, but without the security block that various service packs have put in place.

Whilst the examples on the site are NOT in PHP, because it is a COM interface, it is extremely portable.

RQuadling I have no experience using PHPs COM interface. I could have a go but I'm not sure that Outlook Redemption is the way forward. Not understanding the context in which it would be used can you help me by answering this question.

Exchange sits on server1 php would be running on server2, can PHPs COM interface allow me to interface with Exchange using Outlook Redemption?

I have tried to search the Outlook Redemption yahoo group but yahoo has mucked up the group search facility.

Thanks for getting back to me this morning darkstar3d, was that the information you wanted?

Yes it was. Those examples look like they will work. If the server is using forms based authentication, I don't think they will. I wasn't able to test any of them yet to check for certain.

FBA requires that you query /exchweb/bin/auth/owaauth.dll with the username and password, save the cookie that is returned, and authenticate all further requests with that cookie. curl is one of the better methods of doing that. I'm rusty on PHP, but here is a link that hopefully will get you started. I'm on the road and can't test anything until the weekend.

http://stackoverflow.com/questions/437927/how-do-i-do-this-asp-webdav-fba-authentication-example-in-php

Look at the top rated answer for the code I'm mentioning.

The way Redemption works is by utilising a windows mail profile.

So, if Outlook can talk to exchange (a good test), then PHP + COM + Outlook Redemption can also.

Outlook needs to be installed on the same server as PHP and Redemption.

Here is a daft example with my output.

Contacts
Contacts
Global Address List
All Address Lists
All Contacts
All Groups
All Rooms
All Users


OK. Not much. But using a TypeLibrary browser, you can see the entire list of facilities with all the parameters and return types.

This was run on a Windows XP SP3 workstation with Outlook 2003 SP3 installed (but not loaded!!!). The Exchange server is a VM running on Windows 2008 in an Sun ESX box somewhere.

<?php
// Suppress reporting of duplicate constants.
ini_set('com.autoregister_verbose', 0);
 
// Create an Outlook Redemption object to read the address lists.
$o_RLists = New COM('Redemption.AddressLists');
 
// Register the typelibrary.
com_load_typelib('AddressLists');
 
// Iterate the list of address books.
for($i_Count = 0 ; $i_Count < $o_RLists->Count ; ++$i_Count)
	{
	echo $o_RLists[$i_Count]->Name, PHP_EOL;
	}

                                              

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:

foreach() didn't work as the IAddressLists does not have an enumerable interface. This is the Redemption library and I suspect the same for the Extended MAPI library and NOT PHP's fault.

RQuadling, thanks, I will look into this next week as it offers a different kind of approach. I would prefer to understand why the existing code I'm working with isn't working first. Once I have bot methods working I would be in a position to decide which offers me the best solution.

darkstar3d thanks for the link. I'm going to look it over now I understand the constraints you are under so I will be patient!!. I am grateful for all the help being offered to me. One thought occurs to me. FBA is turned on in exchange but I haven't configured for HTTPS as this is exclusively for internal use and I was reluctant to spend money on a certificate for internal purpose only. Could this be the problem. I have amended the scripts I am trying so they use HTTP not HTTPS but is there a problem with this I'm not appreciating?

curl can be used to get any data, not just https. You only need to put the cookie into every request sent after that.

Darkstar3d, when I enable Forms Based Authentication in Exchange the following message comes up:-

"Forms Based Authentication requires clients to use a SSL connection. If SSL encryption is not off-loaded to another source, complete the following steps:

-Configure SSL
-Restart the IIS service"

Presumably from what you say above I can ignore this and FBA will be enabled but for HTTP not HTTPS?

If you had to enable it, it wasn't enabled already. It is not necessary, just more secure and with the results you were getting I was thinking FBA was the cause of it. It is more secure, but if this is internal only, create a self signed certificate. A local certificate authority could also be used.

Well FBA was enabled from the original install of exchange. I have tried removing it to see if that was the issue and this came up when I tried to add it again. Not entirely sure what you mean here. Are you saying:-

1. It will work without enabling SSL on IIS

or

2. I need to enable SSL on IIS for it to work and can just use a self signed certificate.

Currently none of the scripts I try work with or without it. I'm grasping at straws I think.

Is Webdav disabled perhaps? Not sure where to check just for Exchange but I would check in IIS manager, web service extensions, and see if WebDAV is Allowed.

As far as I can see WEBDAV is enabled (see the attached jpegs). Given that I have tried a number of different scripts some using cURL some using Troy Wolf's HTTP class I can't help thinking that this is to do with exchange. One option to progress this is, if you are up for it, to set up a remote session for you to directly look at the config. That's within the rules of EEX as long as I commit to writing up the solution afterwards. I fully understand if this is not acceptable to you as your support to me is only voluntary.

An alternative or additional approach to this could be to try access via ASP first. This might at least identify the location of the problem. I've had a quick cast around and there are dozens of scripts to try from. Do you have an suggestions as to any?

Remote session currently impossible for me as I only have my corporate laptop with me.

For examples, I always look to see what Glen Scales has first! :) http://gsexdev.blogspot.com/2005/04/aspnet-and-exchange-tips-and-samples.html

OK I'll pursue that and get back to you. Could be a few days as other things are crowding me. I am very grateful for the support.

I just tried that first script, Troys, and didn't get access denied but an XML error. He has the username hardcoded to twolf in a few spots (line 31 and 41). Changing those to $exchange_username got me in. Will try looking at the XML returned later today.

Troy has sent me an updated class_http, attached.

Popped that in real quick, it gets a cookie (which tells me that it was successful logging in) but ends with can't authenticate.

That's exactly what is happening for me. I still haven't had a chance to try ASP as life got hectic. Hope to look today.

The script at http://msdn.microsoft.com/en-us/library/ms878636%28EXCHG.65%29.aspx work straight away so that makes me think the error lies in the PHP not the exchange server configuration?

I should have more time over the next few days to play with this. I haven't examined those classes that Troy built fully, although from his page it seems some peeps got it to work. But, auth errors and XML errors is what I get from it. The big issue could be that PHP has moved along since then. PHP4 was everywhere then and PHP5 changed a lot of stuff. Definitely broke a lot of my scripts.

Hmmm, which version of PHP are you using?

I'm running 5.2.8

5.2.11on my development machine and 5.2.5 on my internal web server.

Just looked at my PHP install, any 5. version should have a HttpRequest class which you can enable by uncommenting the extension=php_http.dll line in the php.ini file.

Going to try using that instead of Troy's.

Spent time during lunch on this. What is fairly easy with ASP seems so convuluted with PHP at least with NTLM. Are you using basic authentication by chance? Not recommended but if you are, probably could proceed faster.

Here I have to confess my ignorance. I'm unsure what NLM means and regarding basic authentication  how does one check?

NTLM (NT Lan Manager) is a session based security authentication mechanism for use with AD. The .NET protocols have built in routines to get through all the challenges/responses needed to authenticate.

Basic authentication is sending information (user name/password) in the clear.

From your Exchange system manager, bring up the props on the Exchange virtual server, then Access tab, Authentication button. Which methods are checked?

Yes our usual access for exchange is using outlook and it uses our AD authentication. I'm having difficulty following:-

"... Exchange system manager, bring up the props on the Exchange virtual server, then Access tab, Authentication button ...". I have tried most of the objects in exchange system manager and none of them throw up properties with an access tab.

System Manager, (Admin Groups, then the group,) Servers, Protocols, HTTP, Exchange Virt Server.

If there aren't any admin groups, that part won't be there. If you can't get all the way there, you don't permissions to it, which if you are doing Webdav would be strange.

Hmm can't see an access tab:-

Should have added that I'm a domain admin.

How many servers do you have? That looks like a front end server properties. The backend is where the authentication is done at.

If it is a backend, maybe its standard. All my servers are enterprise and I can't verify that.

There are two servers that pertain to what I am doing at the moment. The Domain Controller is also the exchange server running Exchange 2003 Standard. That is using Windows 2003 standard and the web server running Windows 2003 Web Edition with IIS and PHP Version 5.2.5. I use PhpEd for development on a Windows XP machine that is part of the domain and that uses PHP Version 5.2.11. The screen shot is taken from running System Manager on the domain controller.

Everything that I read states that Standard Edition also has the access tab. Ok, will keep working on why I can't get authenticated. :( No code I find authenticates, which seems strange.

No PHP code that is. :)

This is exactly what has been happening for me. It's a real puzzle, I am very grateful that you are spending time on this.

I'll be home this weekend, so I hope to get this working. I'm thinking Troy must have some NTLM modules in his Apache and PHP that we don't have. I just looked at my stuff and neither have NTLM as I can see.

That's an interesting possibility I'll ty e-mailing him, he may respond.

OK it's done I'll let you know if he responds.

I've had a response. He is using no extra NTLM modules.

Wow, I haven't fully examined his class, but i'm thinking that it must be using Basic authentication then. It is the only thing that I have off.

I definitely wasn't aware of all the back and forth responses used by NTLM that .NET handles automatically.

The replacement script I posted was supposed to work with FBA.

Understood, but neither works for me. :)

Even the mods I made while poking around.

I am puzzled as to why nothing seems to work, especially as there appears to be references to getting PHP and Exchange talking on the web. Obviously Troy got it working. I wonder if PHP5 breaks it, the original development was in 2006 so it could have been done in 4? I'll look into setting up a machine with 4 on it to see.

Looking at the XML syntax, it is PHP4.

As much as I wanted solve this, after 5 hours today, I'm nowhere closer.

Since you are running this on a windows server, maybe a proxy service could be the trick.

I'm away for a few days will get back to you on the weekend.

This may be what you need.

http://www.likewise.com/

Not sure about that. I'll look into it more. Sorry it's gone quiet. Got back off leave and suddenly 3 other projects were shoved to the top of the list of priorities. I'm hoping I'll be back to this in a few days.

I have now returned to this. To briefly recap what has happened so far.

Originally FBA was enabled on exchange and I tried both the new HTTP class of Troy's to no avail.
I then switched off FBA and tried the old HTTP class to no avail.
I then re-enabled FBA.

I decided to start over.

I tried the old and new HTTP class and they failed.
I switched to PHP 4 and suddenly the old HTTP class worked - there were some errors being returned in PHP 5 which needed sorting out but once these were done I got the output.

In PHP 4 and 5 the new HTTP class still fails.  It returns an authentication error. Using Firebug and Firecookie while I step through the code there I can't see the cookies "sessionid" and "cadata" being created.

The puzzle is that exchange is still showing FBA is switched on. If FBA is switched on is it still possible to use Basic Authentication (if that is the right term) or is FBA really off even though is shows on?
Is the failure related to something wrong with the configuration of FBA or that the cookies aren't being set?

FBA shows on as in the screen shot above:-

http://www.experts-exchange.com/images/191676/Exchange04.jpg

Regarding the cookies I'm not absolutely sure what I'm looking for. I have implemented Firebug and Firecookie in FireFox. Using those no cookies are being set except PHPSESSID.

Tonight I'll look using those tools to see what cookie my server gives with FBA. I'm wondering if it has anything to do with Firefox not being a full OWA platform for Exchange 2003.

Hmm I rebooted the exchange server and magically it is now working perfectly. I'm guessing that the problem was originally to do with the errors produced by PHP 5. Messing about with the FBA setting produced a overlay problem which was resolved by the reboot. MANY MANY thanks for al the help on this you are a star. Now to start exploring Webdav in anger. No doubt I shall be revisiting EEX.

This was a time consuming issue and the solution isn't easy to pinpoint so the points have been attached to a fairly arbitrary response. Without the tenacity and support of darkstar3d I doubt I would have resolved it. I haven't catalogued the changes that are needed to Troy's script. If in the future anyone wants then then message me and I will write them up.