IIS proxy to Apache with passing domain authentication howto

our clien开发者_如何学运维t has intranet running on Linux (Apache, PHP). Authorization is provided by login dialog, session in PHP.

Customer requires to not ask for password from windows computer logged onto their domain, but to use username/password of logged on user.

Colaboration with apache ldpap is out of scope, due their security reasons.

Solution is to use ISS on dedicated computer as transparent proxy with rewrite to apache linux server running intranet, but with proxy passing authentication information (login, password) to apache server.

Is this solution possible to realize? If so, please give me advice.

Thank you in advance

---

I am assuming the reason why Apache with LDAP is out of scope is that the username/password is handled by the PHP application. This assumption some from the use of the login dialog.

Based on this assumption, a proxy solution that forwards passwords has some problems in that you're basically authenticating between two domains. It would likely be infeasible to sync passwords between the two domains. You'd have problems where new users have to wait for the sync to happen before they can access the application. Password changes would also cause login issues until the sync is performed. You also have problems getting the actual password too....

The way the domain authentication works is that Internet Explorer specifically will try to authenticate with a remote site if the initial request results in a challenge. This can be NTLM, Basic authentication, or whatever; the point is, the credential exchange is handled with HTTP headers and challenge/response by the web server. By the time the web application is executed on IIS, an LDAP verification has been performed by the web server and the application only knows the name of the user but not the password. (In cases where NTLM is used, the password is actually never exchanged in the challenge/response handshake. The client side demonstrates it knows the correct password via the challenge/response.)

Probably the only way you're going to be able to do this is to have the IIS application verify the user via LDAP, and then lookup that user's credentials from the PHP application. How you map the Windows domain user to the user in the PHP app is probably via Domain\Username. Instead of proxying, the app can encrypt the username/password and pass the encrypted payload as a request parameter to the application using a redirect. The user logs in, the response redirects them to the PHP app via a URL that has the encrypted payload appended as a parameter.

The encryption could be done via shared secret between the .Net app and the PHP app. A better solution would be to encrypt it with the public key of the PHP app's SSL certificate. This way the key gets changed periodically and you don't have to update a shared secret on both sides.

You probably also want to include a timestamp in the encrypted payload to make sure that the redirect login is only valid for a certain period of time. You'll have to keep the payload small too so that the redirect URL doesn't exceed the maximum size that the browser can handle.