Re: [PHP-DB] Integrated Authentication on IIS 6.0
Maybe I'm not understanding the situation properly, because I can't see why you would have had it working under IIS5 if your configuration is how I think it is. Integrated authentication basically allows a workstation that's logged into a domain to automatically pass it's credentials from the workstation to the domain. Using this, you can get the currently logged in userid via server variables from IIS into PHP. But you never get the user's password or are able to get anything into PHP that will automatically connect you to a database or other trusted data source. If you connect to a web server and PHP on that server creates a connection to a database, then PHP needs to send login credentials (either hardcoded, pulled from another database based on the user's ID or something, or provided by the user via a web form). I don't believe you can have PHP create a connection based on integrated authentication because PHP is sort of outside the whole windows security scheme. You could configure the database to accept a connection from the PHP server's IP address and nowhere else and hardcode a password into PHP, or do other things like that. Again, maybe I mis-assuming what your configuration is. Mind giving us more detail on the process you're trying to fix? Users connects to web server, web server makes ODBC connection (by what means?), etc.. -TG = = = Original message = = = Hi, I have an intranet application that I wrote in PHP that has worked great for a long time. It uses integrated authentication in IIS. I'm trying to migrate to IIS 6 and things are mostly working. The problem I have is that my ODBC_CONNECT calls are not resulting in: Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.. What it seems to tell me is it is correctly trying to make an integrated auth connection to the database, but for some reason the current user's credentials aren't being passed? Does anyone have insight into this? Thanks! Ryan -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Integrated Authentication on IIS 6.0
Thanks for the response! Yes, believe it or not it does work, or at least did on IIS 5. When I turn on Integrated Security on the web server it causes PHP to run as the user logged in instead of the Anonymous user. Then calling odbc_connect with a blank username/password combination in cooperation with a system DSN configured to use Windows Authentication caused the connection to be made via the individual user's Windows credentials. This behavior is eluded to in a note on the php site from flo : If you don't want to specify your login credentials on your web server, you can leave the login fields blank to use the integrated windows security like here: odbc_connect(DSN=DataSource,,); Make sure you have switched your system dsn to integrated security, too ! (works on windows machines only, of course) My intranet application relies on this ability. My working production server is IIS 5 on Advanced Server 2000 with PHP 5.04. My new server is IIS 6 on Windows 2003 Server with PHP 5.04. Both are operating in ISAPI mode. $AUTH_USER does report correctly the authenticated user on both systems, but a call to odbc_connect on the new system gives this error: Warning: odbc_connect() [function.odbc-connect]: SQL error: [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection., SQL state 28000 in SQLConnect in testOdbc.php on line 3 For some reason odbc_connect on IIS 6.0 is not acting the same as it is on IIS 5. I'm pretty sure it's a configuration problem, I just can't find it. :-\ Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 23, 2005 12:38 PM To: php-db@lists.php.net Cc: Ryan Jameson (USA) Subject: Re: [PHP-DB] Integrated Authentication on IIS 6.0 Maybe I'm not understanding the situation properly, because I can't see why you would have had it working under IIS5 if your configuration is how I think it is. Integrated authentication basically allows a workstation that's logged into a domain to automatically pass it's credentials from the workstation to the domain. Using this, you can get the currently logged in userid via server variables from IIS into PHP. But you never get the user's password or are able to get anything into PHP that will automatically connect you to a database or other trusted data source. If you connect to a web server and PHP on that server creates a connection to a database, then PHP needs to send login credentials (either hardcoded, pulled from another database based on the user's ID or something, or provided by the user via a web form). I don't believe you can have PHP create a connection based on integrated authentication because PHP is sort of outside the whole windows security scheme. You could configure the database to accept a connection from the PHP server's IP address and nowhere else and hardcode a password into PHP, or do other things like that. Again, maybe I mis-assuming what your configuration is. Mind giving us more detail on the process you're trying to fix? Users connects to web server, web server makes ODBC connection (by what means?), etc.. -TG = = = Original message = = = Hi, I have an intranet application that I wrote in PHP that has worked great for a long time. It uses integrated authentication in IIS. I'm trying to migrate to IIS 6 and things are mostly working. The problem I have is that my ODBC_CONNECT calls are not resulting in: Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.. What it seems to tell me is it is correctly trying to make an integrated auth connection to the database, but for some reason the current user's credentials aren't being passed? Does anyone have insight into this? Thanks! Ryan -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Integrated Authentication on IIS 6.0
Ahh.. ok.. I was mostly doing DSNless connections. You might want to look into the setup for your ODBC source called Datasource in your example below. That might be what's actually passing the authentication, not PHP itself. PHP makes a call to the local ODBC source which in turn actually handles the connection. Don't know if that helps, but that's the next place I'd check, unless someone else has better insight. -TG = = = Original message = = = Thanks for the response! Yes, believe it or not it does work, or at least did on IIS 5. When I turn on Integrated Security on the web server it causes PHP to run as the user logged in instead of the Anonymous user. Then calling odbc_connect with a blank username/password combination in cooperation with a system DSN configured to use Windows Authentication caused the connection to be made via the individual user's Windows credentials. This behavior is eluded to in a note on the php site from flo : If you don't want to specify your login credentials on your web server, you can leave the login fields blank to use the integrated windows security like here: odbc_connect(DSN=DataSource,,); Make sure you have switched your system dsn to integrated security, too ! (works on windows machines only, of course) My intranet application relies on this ability. My working production server is IIS 5 on Advanced Server 2000 with PHP 5.04. My new server is IIS 6 on Windows 2003 Server with PHP 5.04. Both are operating in ISAPI mode. $AUTH_USER does report correctly the authenticated user on both systems, but a call to odbc_connect on the new system gives this error: Warning: odbc_connect() [function.odbc-connect]: SQL error: [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection., SQL state 28000 in SQLConnect in testOdbc.php on line 3 For some reason odbc_connect on IIS 6.0 is not acting the same as it is on IIS 5. I'm pretty sure it's a configuration problem, I just can't find it. :-\ Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 23, 2005 12:38 PM To: php-db@lists.php.net Cc: Ryan Jameson (USA) Subject: Re: [PHP-DB] Integrated Authentication on IIS 6.0 Maybe I'm not understanding the situation properly, because I can't see why you would have had it working under IIS5 if your configuration is how I think it is. Integrated authentication basically allows a workstation that's logged into a domain to automatically pass it's credentials from the workstation to the domain. Using this, you can get the currently logged in userid via server variables from IIS into PHP. But you never get the user's password or are able to get anything into PHP that will automatically connect you to a database or other trusted data source. If you connect to a web server and PHP on that server creates a connection to a database, then PHP needs to send login credentials (either hardcoded, pulled from another database based on the user's ID or something, or provided by the user via a web form). I don't believe you can have PHP create a connection based on integrated authentication because PHP is sort of outside the whole windows security scheme. You could configure the database to accept a connection from the PHP server's IP address and nowhere else and hardcode a password into PHP, or do other things like that. Again, maybe I mis-assuming what your configuration is. Mind giving us more detail on the process you're trying to fix? Users connects to web server, web server makes ODBC connection (by what means?), etc.. -TG = = = Original message = = = Hi, I have an intranet application that I wrote in PHP that has worked great for a long time. It uses integrated authentication in IIS. I'm trying to migrate to IIS 6 and things are mostly working. The problem I have is that my ODBC_CONNECT calls are not resulting in: Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.. What it seems to tell me is it is correctly trying to make an integrated auth connection to the database, but for some reason the current user's credentials aren't being passed? Does anyone have insight into this? Thanks! Ryan -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Integrated Authentication on IIS 6.0
Here's an update. Running from a command prompt everything works fine. Again, in ISAPI mode on IIS 6 this does not work. I just test CGI mode with an identical result as ISAPI mode. Here's the code that will generate the warning and fail to connect: ?PHP echo HERE: $AUTH_USER; $con = odbc_connect(mySystemDSN,$uname,$upass); ? mySystemDSN is a system dsn with With Windows NT authentication using the network login ID. selected. This works on IIS 5. Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 23, 2005 1:00 PM To: php-db@lists.php.net Cc: Ryan Jameson (USA) Subject: RE: [PHP-DB] Integrated Authentication on IIS 6.0 Ahh.. ok.. I was mostly doing DSNless connections. You might want to look into the setup for your ODBC source called Datasource in your example below. That might be what's actually passing the authentication, not PHP itself. PHP makes a call to the local ODBC source which in turn actually handles the connection. Don't know if that helps, but that's the next place I'd check, unless someone else has better insight. -TG = = = Original message = = = Thanks for the response! Yes, believe it or not it does work, or at least did on IIS 5. When I turn on Integrated Security on the web server it causes PHP to run as the user logged in instead of the Anonymous user. Then calling odbc_connect with a blank username/password combination in cooperation with a system DSN configured to use Windows Authentication caused the connection to be made via the individual user's Windows credentials. This behavior is eluded to in a note on the php site from flo : If you don't want to specify your login credentials on your web server, you can leave the login fields blank to use the integrated windows security like here: odbc_connect(DSN=DataSource,,); Make sure you have switched your system dsn to integrated security, too ! (works on windows machines only, of course) My intranet application relies on this ability. My working production server is IIS 5 on Advanced Server 2000 with PHP 5.04. My new server is IIS 6 on Windows 2003 Server with PHP 5.04. Both are operating in ISAPI mode. $AUTH_USER does report correctly the authenticated user on both systems, but a call to odbc_connect on the new system gives this error: Warning: odbc_connect() [function.odbc-connect]: SQL error: [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection., SQL state 28000 in SQLConnect in testOdbc.php on line 3 For some reason odbc_connect on IIS 6.0 is not acting the same as it is on IIS 5. I'm pretty sure it's a configuration problem, I just can't find it. :-\ Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 23, 2005 12:38 PM To: php-db@lists.php.net Cc: Ryan Jameson (USA) Subject: Re: [PHP-DB] Integrated Authentication on IIS 6.0 Maybe I'm not understanding the situation properly, because I can't see why you would have had it working under IIS5 if your configuration is how I think it is. Integrated authentication basically allows a workstation that's logged into a domain to automatically pass it's credentials from the workstation to the domain. Using this, you can get the currently logged in userid via server variables from IIS into PHP. But you never get the user's password or are able to get anything into PHP that will automatically connect you to a database or other trusted data source. If you connect to a web server and PHP on that server creates a connection to a database, then PHP needs to send login credentials (either hardcoded, pulled from another database based on the user's ID or something, or provided by the user via a web form). I don't believe you can have PHP create a connection based on integrated authentication because PHP is sort of outside the whole windows security scheme. You could configure the database to accept a connection from the PHP server's IP address and nowhere else and hardcode a password into PHP, or do other things like that. Again, maybe I mis-assuming what your configuration is. Mind giving us more detail on the process you're trying to fix? Users connects to web server, web server makes ODBC connection (by what means?), etc.. -TG = = = Original message = = = Hi, I have an intranet application that I wrote in PHP that has worked great for a long time. It uses integrated authentication in IIS. I'm trying to migrate to IIS 6 and things are mostly working. The problem I have is that my ODBC_CONNECT calls are not resulting in: Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.. What it seems to tell me is it is correctly trying to make an integrated auth connection to the database, but for some reason the current user's credentials aren't being passed? Does anyone have insight into this? Thanks
RE: [PHP-DB] Integrated Authentication on IIS 6.0
Well, isn't it always a minor detail that makes the difference? This problem occurred because part of my upgrade included separating IIS and my SQL server. Well, guess what, good ole' Microsoft has included a feature that will not allow credentials to be passed from IIS to SQL if SQL is on a different machine. DOAH! It's called the 2 hop issue and is a problem even for their loyal ASP developers. Anyway apparently there are 3 solutions: 1. Set up a complex kerberos delegation configuration based on a lengthy article from Microsnot and cross your fingers. 2. Install SQL server on your IIS machine. 3. Don't use integrated authentication. ALL of my permissions are setup based on a domain user group. Access to the system was added by putting a user in that group. It was a beautiful thing until this doozy appeared. :-\ Thanks anyway. No wonder there wasn't much response. Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 23, 2005 1:00 PM To: php-db@lists.php.net Cc: Ryan Jameson (USA) Subject: RE: [PHP-DB] Integrated Authentication on IIS 6.0 Ahh.. ok.. I was mostly doing DSNless connections. You might want to look into the setup for your ODBC source called Datasource in your example below. That might be what's actually passing the authentication, not PHP itself. PHP makes a call to the local ODBC source which in turn actually handles the connection. Don't know if that helps, but that's the next place I'd check, unless someone else has better insight. -TG = = = Original message = = = Thanks for the response! Yes, believe it or not it does work, or at least did on IIS 5. When I turn on Integrated Security on the web server it causes PHP to run as the user logged in instead of the Anonymous user. Then calling odbc_connect with a blank username/password combination in cooperation with a system DSN configured to use Windows Authentication caused the connection to be made via the individual user's Windows credentials. This behavior is eluded to in a note on the php site from flo : If you don't want to specify your login credentials on your web server, you can leave the login fields blank to use the integrated windows security like here: odbc_connect(DSN=DataSource,,); Make sure you have switched your system dsn to integrated security, too ! (works on windows machines only, of course) My intranet application relies on this ability. My working production server is IIS 5 on Advanced Server 2000 with PHP 5.04. My new server is IIS 6 on Windows 2003 Server with PHP 5.04. Both are operating in ISAPI mode. $AUTH_USER does report correctly the authenticated user on both systems, but a call to odbc_connect on the new system gives this error: Warning: odbc_connect() [function.odbc-connect]: SQL error: [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection., SQL state 28000 in SQLConnect in testOdbc.php on line 3 For some reason odbc_connect on IIS 6.0 is not acting the same as it is on IIS 5. I'm pretty sure it's a configuration problem, I just can't find it. :-\ Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 23, 2005 12:38 PM To: php-db@lists.php.net Cc: Ryan Jameson (USA) Subject: Re: [PHP-DB] Integrated Authentication on IIS 6.0 Maybe I'm not understanding the situation properly, because I can't see why you would have had it working under IIS5 if your configuration is how I think it is. Integrated authentication basically allows a workstation that's logged into a domain to automatically pass it's credentials from the workstation to the domain. Using this, you can get the currently logged in userid via server variables from IIS into PHP. But you never get the user's password or are able to get anything into PHP that will automatically connect you to a database or other trusted data source. If you connect to a web server and PHP on that server creates a connection to a database, then PHP needs to send login credentials (either hardcoded, pulled from another database based on the user's ID or something, or provided by the user via a web form). I don't believe you can have PHP create a connection based on integrated authentication because PHP is sort of outside the whole windows security scheme. You could configure the database to accept a connection from the PHP server's IP address and nowhere else and hardcode a password into PHP, or do other things like that. Again, maybe I mis-assuming what your configuration is. Mind giving us more detail on the process you're trying to fix? Users connects to web server, web server makes ODBC connection (by what means?), etc.. -TG = = = Original message = = = Hi, I have an intranet application that I wrote in PHP that has worked great for a long time. It uses integrated authentication in IIS. I'm trying to migrate
