Windows authentication to SQL Server via IIS and PHP
Solution 1
This is very probably a delegation issue. Although the client will authenticate with your IIS server using their domain credentials, it will not be trusted for delegation to access network resources.
This has a good explanation of the issue. Also see here
Solution 2
A few ways to skin this, but basically the trick is to make the PHP process run in the right context.
If you are already running as NETWORK SERVICE then you can get the machine account added to the database server; the username is DOMAIN\COMPUTERNAME$.
You could also configure the application pool to use a different named user if that is easier.
Configuring PHP to impersonate probably won't help here unless the requirement is to have users pass-through authenticate against the database.
Related videos on Youtube
08 : 08
08 : 01
02 : 09
14 : 14
12 : 04
Jeff
Updated on September 18, 2022Comments
-
Jeff over 1 year
We're running a PHP 5.4 application on Server 2008 R2. We would like to connect to a SQL Server 2008 database, on a separate server, using Windows authentication (must be Windows authentication--the DB admins won't let us connect any other way). I have downloaded the SQL Server drivers for PHP and installed them. IIS is configured for Windows authentication, and anonymous authentication has been disabled. $_SERVER['AUTH_USER'] reports our currently logged on Windows account. In php.ini, we have set fastcgi.impersonate = 1.
When we setup a connection using the following code from Microsoft:
$serverName = "sqlserver\sqlserver"; $connectionInfo = array( "Database"=>"some_db"); /* Connect using Windows Authentication. */ $conn = sqlsrv_connect( $serverName, $connectionInfo); if( $conn === false ) { echo "Unable to connect.</br>"; die( print_r( sqlsrv_errors(), true)); }We are presented with the following error message:
Unable to connect. Array ( [0] => Array ( [0] => 28000 [SQLSTATE] => 28000 [1] => 18456 [code] => 18456 [2] => [Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. [message] => [Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. )Is it possible to connect to SQL Server 2008 via PHP using Windows authentication? Are there any additional required settings we need to make on IIS, SQL Server, or any other component (like a domain controller)?
-
Chris McKeown almost 12 yearsSince you ask about the need for a domain controller, are the machines currently in a workgroup?
-
Jeff almost 12 yearsNo--everything is on a Windows domain.
-
Chris McKeown almost 12 yearsI think this is probably a delegation of rights issue. Although you're authenticating with the IIS server using your Windows login, that probably won't have the rights to hop over the network using those credentials. I'm not putting this in an answer though since I'm not certain about this.
-
Chris McKeown almost 12 yearsActually, I'm fairly certain this is what you're seeing, I'll put an answer in.
-
-
Jeff almost 12 yearsI'm going to try this tomorrow and see if that fixes. What exactly needs to be configured for trusted delegation--the IIS server or the domain user accounts? Thanks!
-
Chris McKeown almost 12 yearsI believe the IIS server itself will need to be configured to allow delegation of credentials to backend servers. The tool referenced in my first link is probably a good place to start.
-
Chris McKeown almost 12 yearsHaving said the above, do you need to connect to the backend SQL server as the user? If your app could authenticate as the machine account (as per Wyatt's answer), would that be OK?
