Integrated authentication over Intranet -- Passwordless.

Hi everyone, a bit of a strange situation here.

First, here's what the server/client situation looks like:
Server: The server is running Ubuntu, Apache, MySql, and PHP. Access is LOCAL to it's subnet only.
Client: While never exactly the same, they will be between versions of windows 2000 -> windows 7. Most of them will be using IE6 or later (there is a very small portion expected outside of IE use, nearly 0%, sad I know :( ). They are all connecting to a windows domain via LDAP.

Anyway, what I need to do is find a way our client is able to automatically be logged into the system when they come back.

We can't always rely on IP of the client as they may have a dynamic IP configuration.
We can't set one cookie and forget about it forever, as often they have techs remote login and their list of processes to fix things is "First, clear the cookies." Meaning, we can't use cookies.

I looked into Integrated Windows Authentication, but it looks like users still need to type in a password (never mind the lack of support out there for running NTLM protocols on LAMP), so I don't believe this is a method either.

I also though about having a windows PowerShell or VBS/otherwise run as a LoginScript and query the server for a new cookie and set it on each login. The only problem I see with this is that I've now coded a backdoor into my otherwise secure system (which I really do not like).

Accepted Solution is whoever can provide me with a method that allows for someone to login by somehow joining the security from logging into their desktops (LDAP).

Thanks!
LVL 2
brian-jgAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

brian-jgAuthor Commented:
I'm starting to think this isn't possible without some form of VPN script on domain login and browser extension, or Java Applet. None of which are realistic for the project.
0
TobiasHolmCommented:
Hi!

Maybe this Apache mod can be of use? It generates tokens to keep track of users.
Ref: http://code.google.com/p/mod-auth-token/

Regards, Tobias
0
brian-jgAuthor Commented:
That's as secure as using something like ?token=43eaf9c5.

We would never be able to use something like that.
0
TobiasHolmCommented:
Then maybe you could use an Apache module that implements SPNEGO?
Ref: http://onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html

Regards, Tobias
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
brian-jgAuthor Commented:
This is something I hadn't thought of. I intend to just have LDAP run behind basic auth instead of using NTLM.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Programming

From novice to tech pro — start learning today.