Authenticating a user in Active Directory (AD) from an External Site


Currently at work, users are authenticated within the company at

We just purchased from a 3rd party host. What I want to do is work towards building an internal company site with all the most frequently used material and sites by everyone on however, for them to be able to get to the site, they need to be authenticated via the Active Directory from which is the "MAIN" company website.

I have all the AD LDAP strings but the issue is that I don't know how to do this. Yes, I know the workaround is store everyones usernames and passwords in a database and query against that but because people leave the company and join at rates unimaginable, it will be very hard for us to keep updating the database which is why we just said.."you know what, lets rely on AD"

How do we do this! help out please.
Who is Participating?
k_dietzConnect With a Mentor Commented:
Here is code to handle the LDAP authentication through AD.  To my knowledge, the two-way trust will allow you to have users authenticate once for both websites.. this method will have them sign in separately to each website.   Quite honestly, I don't know how to set up the trusts because I've never done it, so this is all I can help with.

This code works for me on IIS 6.0 with AD2003.  
$ldapserver = "";
$ldap_domainname = "YOURDOMAINNAME";
if (isset($_POST['login']) && isset($_POST['password']) )  { 
    $username = trim($_POST['login']); 
    $password = trim($_POST['password']); 
	/* LDAP Binding Needs DOMAINNAME\.  Authentication does not. */
	$ld_username = $ldap_domainname . "\\" . $username;
	$ld_password = $password;
    $ds = ldap_connect($ldapserver); 
	ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
	ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
    // If Can't connect to LDAP. 
    if( !$ds ) 
        echo "Error in contacting the LDAP server.";
    // Bind to LDAP using credentials supplied.  If no connection, cannot authenticate!
	// NOTE:  Cannot bind anonymously - triggers Operations Error.
    $bind = @ldap_bind($ds, $ld_username, $ld_password); 
    // Check to make sure we're bound and authenticated.
    if( !$bind ) 
        $errormessage =  "Your username and password combination is incorrect. Please try again."; 
	$base_dn = "dc=YOURDOMAINNAME,dc=local";
	$uid = "samaccountname";
	$filter = $uid . "=" . $username;  // check the samaccountname field for matching username.  supposed to be uid but it didn't work for me
    $search = ldap_search($ds, $base_dn, $filter);   
    // Make sure only ONE result was returned
    if( ldap_count_entries($ds,$search) != 1 ) 
        $errormessage = "There was an error processing your logon.  Please try again."; 
    $info = ldap_get_entries($ds, $search); 
    if ($username == $info[0][$uid][0]) { 
        $_SESSION['username'] = $username;   // username as listed in AD
        $_SESSION['fullname'] = $info[0][cn][0];  // full name as listed in AD 
		header("Location: securedwebpage.php");
    } else { 
        $errormessage =  "Your username and password combination is incorrect. Please try again."; 
<form action="?" method="post">
	Username: <input type="text" name="login" /><br />
	Password: <input type="password" name="password" /><br />
	<br />
	<input type="submit" value="Login" />

Open in new window

Malli BoppeCommented:
On the website  you remove annoymous authentication and use intergrated windows authentication.
is the new website hosted on the same server? If not, is it on the domain?

What language are you using -- I have the syntax for php and may be able to point ya in the rich direction for .net or others
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

piyushdabombAuthor Commented:
Its on 2 different domains and 2 different servers!

I can use PHP, ASP, or ASP.NET...whatever works. Even if I don't have the experience, I'll figure it out.
Malli BoppeCommented:
Do you have 2way trust between those domains.If you have then users in both domains can use both websites.
piyushdabombAuthor Commented:
I can somehow get the 2way trust. I know that the domain I bought has trust... but the company website 'can' get trust after speaking with a few folks.

How do I get users in both domains using both websites? Where does authentication play a part?
AmericomConnect With a Mentor Commented:
We have something similar.
I suggest you do the two-way or one-way trust first as suggested above. I users in yyy wants to access xxx website, then xxx domain trust yyy and vice versa. If you want both domain to be able to access both servers then do two-way trust. An external trust usually the fast to establish without too much concern of security. Once the trust is established in both domains, all you need to do is grant permission of your website or virtual directories etc by simply browse the other domain's database. Or if you're using other application to manage permission via LDAP queries, it can be done as well by knowing the Domain name and common name etc. If the web site is open for Authenticated users or everyone, then it already have access to both domain users.
piyushdabombAuthor Commented:

Will the code work on 2 different servers? All I really need is 1 way trust into my company server. I don't need authentication the other way (and I'm sure I can get that).

Can someone point me in the right direction with this?
As far as trust, sounded like one-way is what you need and there shouldn't be a problem to create one-way trust.
piyushdabombAuthor Commented:
Okay we changed the way we are going to deal with this just because we can't get any TRUSTS whatsoever.

I have a list of IP addresses we can work with and so I'm thinking about placing the IP addresses into a database and query off of that. If the users IP address is NOT found in the list, they can't login.

Anyone know how to determine the IP address of a user?
Malli BoppeCommented:
I can give a another solution create local users on teh webserver with some random passwords.
On the website folder directory.Add this users and give read permissions or same as domain user permissions.Give the user names and passwords to the other users in the domain.
piyushdabombAuthor Commented:

I already thought of that. The hassles with building a database with user names and passwords comes during maintenance depending on who leaves the company and who doesn't!
piyushdabombAuthor Commented:
Check this out:

If you go to

The first line will tell you if you were authenticated or not.

Let me know if it tells you that you were authenticated. You should NOT be!
Malli BoppeConnect With a Mentor Commented:
This is what I got
User is not authenticated to login to CEB's domain portal since their IP Address is: 
piyushdabombAuthor Commented:

Thats all I need to know. I was able to write a little asp to ban users who aren't part of certain IPs to login. Only those in the space of our IP sites can log in.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.