none
Windows Authentication with Credentials in the PHP

    Question

  • I'm trying to set up a multi-user webserver that ties into a multi-user SQL Server. Each of the users has a domain account (the passwords are sent to a trusted kerberos realm which does the authenticating), and each user also has their own database that they have permission to. The SQL Server is set up with mixed authentication, but if we could use only Windows Authentication, that'd be great. (Specifically, this is for an education institution where each user is either a faculty member or a student. The students only have permission to their own database, or possibly a group database, and the faculty only has permission to the databases that their students are using. All users know their Windows credentials, but very few remember their SQL credentials, which is why I'm here now.)

    The problem is that for each user to be able to use PHP and also use SQL Server Management Studio, they need 2 separate accounts in SQL, one for Windows Auth, and one for SQL Auth, which is only used by PHP. The easiest solution that I know of is to somehow get PHP to send their Windows credentials, and get SQL to authorize them. Ideally, that would all be done through PHP, and each user could enter in their code:

    sqlsrv_connect('server' => 'servername', 'database' => 'mydb', 'uid' => 'mywindowsusername', 'pwd' => 'mywindowspassword');

    Anybody have any ideas?

    Omatsei
    Tuesday, April 28, 2009 6:57 PM

Answers

  • Omatsei,

    There is some helpful information about configuring PHP on IIS using FastCGI so that the PHP process impersonates the current user in the following article:
    http://learn.iis.net/page.aspx/246/using-fastcgi-to-host-php-applications-on-iis-70/

    Specifically, see the section on "Install and Configure PHP" for the FastCGI setting, as well as the "Enabling per-site PHP configuration" section to understand how you can have some applications impersonate users and some not.

    I hope this information proves helpful.

    David Sceppa
    Program Manager - SQL Server Driver for PHP
    • Marked as answer by David Sceppa Monday, May 04, 2009 5:10 PM
    Monday, May 04, 2009 5:10 PM

All replies

  • Omatsei,

    The UID and PWD connection attributes are for SQL Server Authentication.  You can not use those attributes to ask SQL Server to verify the corresponding Windows user's credentials.

    I'm following up with a couple people to see if there's an IIS, FastCGI or PHP setting that would allow the PHP process to impersonate the user to use Windows authentication when logging into SQL Server.

    David Sceppa
    Program Manager - SQL Server Driver for PHP
    Wednesday, April 29, 2009 7:04 PM
  • Omatsei,

    There is some helpful information about configuring PHP on IIS using FastCGI so that the PHP process impersonates the current user in the following article:
    http://learn.iis.net/page.aspx/246/using-fastcgi-to-host-php-applications-on-iis-70/

    Specifically, see the section on "Install and Configure PHP" for the FastCGI setting, as well as the "Enabling per-site PHP configuration" section to understand how you can have some applications impersonate users and some not.

    I hope this information proves helpful.

    David Sceppa
    Program Manager - SQL Server Driver for PHP
    • Marked as answer by David Sceppa Monday, May 04, 2009 5:10 PM
    Monday, May 04, 2009 5:10 PM