使用cURL在不同主机上对当前用户进行PHP NTLM身份验证失败

Question

I'm using PHP 7.1.7 with cURL 7.54.1 on one of the servers on the local network, and due to the development requirements, I have to be able to access files stored on another local network server (PHP 4.3 or some such). Due to version requirements of some of the other components of my system, I have to keep the script on the newer server, and files it accesses on the older one. I use the following settings to pass the current NTLM user credentials from source server where this script resides to the destination server - and it's supposed to work, but somehow it doesn't:

function file_get_contents_curl($url) {
    $curl = curl_init();
    curl_setopt($curl, CURLOPT_URL, $url);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_NTLM);
    curl_setopt($curl, CURLOPT_UNRESTRICTED_AUTH, TRUE);
    curl_setopt($curl, CURLOPT_USERPWD, ":");
    $data = curl_exec($curl);
    curl_close($curl);
    return $data;
}

header("Pragma: public");
header("Expires: -1");
header("Cache-Control: public, must-revalidate, post-check=0, pre-check=0");    
header('Content-Type: '.get_mime_type($fileresult['filename']));
header('Content-Disposition: attachment; filename="'.$fileresult['originalname'].'"');
$contents = file_get_contents_curl($path);
$localSize = strlen($contents);
header('Content-Length: ' . $localSize);
echo $contents;
ob_flush();
flush();
exit();

When I'm explicitly specifying my

curl_setopt($curl, CURLOPT_USERPWD, "[username]:[password]");

, it works flawlessly, but when trying to re-use existing user credentials - it fails. As an admin, I don't want to leave my credentials in the code as plain text - that's blatant security violation, and creating dummy user profile with access rights to those files would prevent the proper logging of actual user activity on the older server - which is a security concern in itself.

I found this bug report https://bugs.php.net/bug.php?id=62195 for the same issue, but it was related to completely different version of PHP (5.4.3), and I did take into consideration the developer's comments there - still no use.

Is there any curl_setopt setting that I am forgetting to set properly to make it work? Perhaps IIS server may need a certain config change to allow PHP to re-use those credentials in cURL request? Or should it work as it currently is, and my next step would be to submit a bug report to php.net?

Appreciate your help!

---

Edit:

No matter which file I request using the code above (with inherited username and password), the script returns a 1.3k file with the expected file name and extension (.PDF, .PNG or any other), but containing exactly the following:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;} 
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;} 
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} 
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>

cURL returns no error - according to it everything is perfectly fine. When I'm explicitly specifying username and password all the returned files have their own expected unique size and contents.

Answer 1

and it's supposed to work, but somehow it doesn't

No, it's not supposed to work for different servers, as explained in the comments.

To avoid authenticating twice, which could a bit difficult to implement, and not desirable for the end-user, I have the following idea.

Maybe can you just rely on authenticating on the second server (PHP 4) only, the first server (PHP 7) not configured for asking credentials but forwarding the NTLM messages to the second server and then starting a session (cookie) when it knows the user has finally succeeded to authenticate. One side-effect is that all new sessions would start by forwarding a request to the second server. Probably you can do all that in PHP, but I didn't try myself and it costs too much time unfortunately.