Re: Capturing Windows Login Name

Hello,

on 02/03/2008 04:20 PM Jerry Stuckle said the following:
I know it is not possible to get Windows login name using PHP
because
it is a server-side script, but I dunno whether anyone has tried
using
This is not accurate, the Windows logon name is passed to servers by
several browsers (not just IE) when servers ask for Windows NTLM
authentication.

You just need to configure your Web server to require Windows
authentication, and you get the current logged user logon name using
GetEnv('LOGON_USER'); .

Forget Javascript, it would never work.

And which browsers are these? I want to ensure they are never
installed
on my system. Such operation would be a tremendous breach of
security.
Internet Explorer and Firefox support NTLM. Maybe other browser

NTLM is an authentication protocol. The client (the browser) does not
send passwords to the server. There is nothing insecure about this. The
browsers just send the hashed passwords to the server. The server just
compares hashes and tells if what the browser sent was correct.

Wrong. Access to my computer consists of logon id plus password. It is
none of your business what my logon id is. And it is a security
exposure.

You are missing the point. I am not arguing with you. I am telling you
how it works. NTLM is an authentication protocol that is used in
Intranets, not in the general Internet.

If you access an Intranet Web server that requires that you have
authorization in the Windows network, you have to authenticate. If your
browser supports NTLM, it will use it, otherwise it usally falls back to
Basic authentication which is not very secure because passwords are sent
unencrypted.

NTLM is a more secure authentication protocol than Basic because
passwords are never sent to the server and it saves the users from the
annoyance of typing their user names and passwords again.

I am well aware of how it works because I implemented the SASL PHP
library, that among other protocols supports NTLM.

http://www.phpclasses.org/sasl


So what? I'm quite aware how it works, also.

It is used by HTTP, POP3, SMTP client classes to access servers of these
protocols under Intranets that require NTLM authentication:

http://www.phpclasses.org/httpclient

http://www.phpclasses.org/pop3class

http://www.phpclasses.org/smtpclass


Gee, more of your lame classes?

I have an hard time understanding why you need to be so hostile and
depart to personal insult against a person that did nothing against you.

I just presented examples on which NTLM authentication is used. I do not
use Windows. I just use Linux, but I studied NTLM and other
authentication protocols in depth to add support to them by request of
the users of those classes.

It is not really relevant, but those classes are quite popular and well
rated as you may check in Freshmeat. Regardless of what you think, they
address needs of many tens of thousands of PHP developers.

Seeing you calling them lame, I assume that you either do not know the
classes and/or just want again to turn a pure technical thread into a
personal attack full of free insults from your part.

Anyway, if trying to insult me is your intention, nevermind, I am not
going to follow-up. If you insist with the insulting tone, rest assured
that I will leave you talking to the walls.


If the authentication succeeds, the server allows the access of
whatever
page (including PHP scripts).

This is a multi-step protocol. The user name is only passed to the
server in the last step, if the previous steps succeed.

The idea is to not make the user enter the same password again to
access
a site under the same Windows controller domain, after he has logon on
his Windows machine account that belongs to the same Windows domain.

But it cannot be done by any website to any computer with no control by
the user.

I never said it could.



You intimated that any browser would pass along your logon name to any
website which requested it. And I'm saying this is NOT the case.

No, if you read me again you may notice that I explained "This is a
multi-step protocol. The user name is only passed to the server in the
last step, if the previous steps succeed."


If you're so well aware of how it works, you need to learn to express
yourself better.

Or maybe you need to "put that gun down" and start reading properly to
what people are saying and not make wrong assumptions and departing to
personal insult.

--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
.

Relevant Pages

  • RE: Beginners Questions
    ... We do use Windows form on the presentation layer which is on ... terminal server and call web services on the business logic side. ... of using "proxy" authentication on SQL Server. ... > I have written an app with a Windows Forms UI that is deployed to clients ...
    (microsoft.public.dotnet.distributed_apps)
  • Re: Integrated Windows Authentication Timeout?
    ... Do you see anything different for the NTLM requests? ... You might consider enabling protocol transition authentication since you are ... Joe Kaplan-MS MVP Directory Services Programming ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Need help configuring Wireless Connection profile
    ... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: EAP-TLS with windows CE
    ... The AP was sending out an Identity Request every second, ... request to the identification server. ... When the server asks the Windows CE device to identify itself, ... I could easily steal your authentication information. ...
    (microsoft.public.windowsce.platbuilder)
  • Re: server authentication & ASP authentication
    ... on to the client workstation with an authorized Windows account. ... SQL Server with Windows authentication. ...
    (microsoft.public.sqlserver.security)