locked
Constrained delegation issue with IIS 6.0 and php RRS feed

  • Question

  • User947360655 posted

    Hi I’m having a somewhat complex problem with Kerberos delegation and PHP.  I'm getting the furthest using the cgi version of PHP but I thought I'd post the question here since this is so tied to IIS.  I'm Running PHP cgi version 4.3.8.8 under IIS6.  The PHP application needs to forward the user’s credentials to SQL Server running on a separate machine.  I’m able to get this to work using the php cgi program and setting up “<?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" /><st1:place w:st="on">Normal</st1:place>” delegation in Active Directory.  The customer, however, requires constrained delegation to be used.  This requirement is due to the initial login with Secure Channel and the need to transition to Kerberos, an option only supported under constrained delegation.  

    <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p> </o:p>

    I’ve been able to get an ASP script to work with constrained delegation.  In Active Directory we set delegation for the IIS machine to “Trust this computer for delegation to specified services only” and select the option “Use any application protocol”.  We then specify the SPN for MSSQLServer. 

    <o:p> </o:p>

    However, with the same settings in AD, PHP returns the error “Login failed for user ‘(null)’.  Reason:  Not associated with a trusted SQL Server connection.”.  This is an ODBC connection.

    <o:p> </o:p>

    Because normal, non-constrained, delegation works with PHP, it seems possible to get constrained delegation to work, but I’ve had no luck yet.  I’ve tried the php isapi extension which had problems with our applications.  FastCGI did not impersonate the user at all

    <o:p> </o:p>

    <o:p>Any ideas?  Will there be, is there support for constrained delegation with any of the PHP variants?</o:p>

    <o:p> </o:p>

    Thanks! Kevin

    Monday, April 2, 2007 6:05 PM

All replies

  • User-679828332 posted

    Hi Kevin,

    AJ and I just got constrained delegation working.

    Configuration: WS03 AD, WS03 + SQL2005 SQL Server, IIS7 + TP2 web server

    Changes we made to php.ini:

    fastcgi.impersonate = 1

    mssql.secure_connection = On

    extension_dir = d:\php\ext

    extension=php_mssql.dll

    We also needed to enabled named pipes in sql server.

    We found this script useful for debugging:

    <?php

    echo get_current_user();

    ?>

    Cheerz,

    Rick.

    Wednesday, April 4, 2007 9:57 PM
  • User947360655 posted

    Thanks for the response Rick!  What version of php were you running?

     I found that the Caraveo version of fast CGI also works with constrained delegation with some older versions of PHP 4.3.  However, the newest version of php 4.4 does not work.  An exception occurs in php.exe.

    I'll do some additional testing with the Microsoft fastCGI program.  From what I can tell, PHP 5.2 will be required for impersonation to work with the Microsoft fastCGI.

     Thanks, Kevin

    Friday, April 13, 2007 1:52 PM
  • User-679828332 posted

    Hi Kevin,

    We used PHP 5.2.1

    Cheerz,

    Rick.

    Friday, April 13, 2007 1:56 PM
  • User-679828332 posted

    Hi Kevin,

    Luckily we still had all the machines setup, so we tried latest release and latest snap of PHP 4. We can't get impersonation to work on either of them. I've started some mail threads, so hopefully we can get this resolved ..

    Thanks again for reporting this.

    Rick.

    Friday, April 13, 2007 2:53 PM
  • User-679828332 posted

    Hi Kevin,

    Dmitry got his compiler out this weekend and seems to have PHP 4 impersonation working. Could you try:

    http://snaps.php.net/win32/php4-win32-STABLE-200704231030.zip

    Thanks,

    Rick.

    Monday, April 23, 2007 1:23 PM
  • User2020642139 posted
    This is great news. Hope to get this working asap!
    Monday, April 23, 2007 5:57 PM
  • User947360655 posted

    Hi Rick.  Could you post that zip file again?

     Thanks! Kevin

    Friday, April 27, 2007 4:57 PM
  • User-679828332 posted

    Hi Kevin,

    goto http://snaps.php.net, grab the latest win32 stable build. they're time stamped and each newer one theoretically has all the fixes of the previous ones :-)

    Cheerz,

    Rick.

    Friday, April 27, 2007 5:29 PM