How can I configure IIS to show logged in users with PHP?
Hello,
I'm testing a website in my company's intranet and would like to enable "Single Sign-on Authentication" method for computers in the domain but also let users login with their company username and passwords when accessing the site from outside the domain (using LDAP).
They provided me with a Microsoft Server 2016 with Internet Information Server 10 and PHP 7.3.
Currently I've enabled the "Windows Authentication" for the site but also the "Anonimous Authentication" in IIS. This was because with only Windows Authentication, the website gave an error when trying to navigate into it. The problem now is that the PHP Server variables does not show the AUTH_USER for the company's domain users, which needs only the Windows Authentication to be enabled.
How can I configure all of this? What would be the best configuration/scenario to use?
Thanks in advance,
Cesar
I'm testing a website in my company's intranet and would like to enable "Single Sign-on Authentication" method for computers in the domain but also let users login with their company username and passwords when accessing the site from outside the domain (using LDAP).
They provided me with a Microsoft Server 2016 with Internet Information Server 10 and PHP 7.3.
Currently I've enabled the "Windows Authentication" for the site but also the "Anonimous Authentication" in IIS. This was because with only Windows Authentication, the website gave an error when trying to navigate into it. The problem now is that the PHP Server variables does not show the AUTH_USER for the company's domain users, which needs only the Windows Authentication to be enabled.
How can I configure all of this? What would be the best configuration/scenario to use?
Thanks in advance,
Cesar
ASKER
Hi Paul, thanks for your input.
I didn't know I could set different types of IIS logins for different pages. The only thing I can't imagine is how to make my site (let's say a redirector index page) to send visitors to either the protected part (for visitors within the network) or to my custom login page (visitors outside the network) which, at some point, will work with LDAP.
In that scenario, I would have to make a page that detects which kind of visitor is making the request and for that, both Windows Authentication and Anonimous Authentication should be used, which doesn't work.
Unless, I could make a script that runs with Windows Authentication that determines that, but... won't it halt the process if the user is anonimous with a 500 error page or something like that?
I'm trying to consider every scenario before I bother the Servers' Admin to make some tests.
Thanks again.
I didn't know I could set different types of IIS logins for different pages. The only thing I can't imagine is how to make my site (let's say a redirector index page) to send visitors to either the protected part (for visitors within the network) or to my custom login page (visitors outside the network) which, at some point, will work with LDAP.
In that scenario, I would have to make a page that detects which kind of visitor is making the request and for that, both Windows Authentication and Anonimous Authentication should be used, which doesn't work.
Unless, I could make a script that runs with Windows Authentication that determines that, but... won't it halt the process if the user is anonimous with a 500 error page or something like that?
I'm trying to consider every scenario before I bother the Servers' Admin to make some tests.
Thanks again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For a visitor outside the private network, they'll have to log in at some point to authenticate to the domain.
You've discovered you don't want this to happen when a visitor gets to the index page, so set the permissions for that page (or some subset of pages) to allow anonymous access, then set the rest of the site to require Windows Authentication. Anyone casually browsing the Intranet site will be able to see pages without logging in, but anyone trying to get to the "employees only" area will have to log in with valid credentials.