访问 PHP 中 Windows 域共享驱动器上的文件

Question

I have a bunch of documents stored on a separate machine that I need to serve from a PHP/IIS server. The catch is that the document drive is on a machine that's attached to an Active Directory domain, and the webserver is not, so I'm unsure where to provide the AD user that PHP needs to authenticate with to access the drive.

I have the IIS application pool that calls PHP running as a new Windows user I created (set as the app pool's "Identity", and as the web site's Anonymous Authentication user). I've logged into the server as this new user and set up a Mapped Network Drive, but after some research I think that's a dead-end; I read that the service doesn't log into Windows in a way that loads mapped drives.

Referencing just by IP address is closer to working, except I get authenticating errors. The main solution I'm finding online is to make the app pool run as a user who has access to the drive, but I don't know if that's possible since the server isn't on that Windows domain. (But I'm also not an AD expert)

echo shell_exec('whoami'); //Outputs the name of the Windows user I created

echo scandir('\\\\192.168.1.120\\data$'); //Username/password not found
echo trim(shell_exec('dir \\\\192.168.1.120\\data$ 2>&1')); //Username or password is incorrect

echo scandir('Z:\\'); //Path not found PHP warning
echo trim(shell_exec('dir Z: 2>&1')); //Path not found

If there isn't an easy, non-hacky solution, I can see if the client can put the webserver on the AD domain, but I don't know if that'll have unforeseen side-effects on the other services this server runs.

Answer 1

About whether a Windows web server should be a member of an Active Directory domain?

If these are public facing and don't require users to be authenticated against the directory, then don't put them in the domain. However, if you need some kind of authentication or looking up information from AD, you might consider running Active Directory Application Mode (ADAM) in the DMZ. You may need to copy the relevant information from AD to the app partition as ADAM does not synchronize standard AD partitions.

Of course, If the web server is on the same network as the domain controller, it can be added to the domain to increase manageability.

Answer 2

Use cmdkey as that user to store the AD credentials:

cmdkey /add:*.ad.example.com /user:fooapp@ad.example.com /pass:lmao

(Alternatively, create an AD account – or even a local account on the fileserver – that matches the service user's username and password? Since you're accessing the fileserver by IP address, you probably don't care about disabling NTLM or doing things cleanly anyway...)