SSO with NTLM and PHP only

Question

I try to create a SSO in a Windows Domain using NTLM and no server modules with an Apache2 server on a Linux machine which is not in the Windows domain. Don't know if this is even possible. But I show you now what I've figured out and what I've to know next.

Okay first I turned on the options that my browser (IE and FF) sends the Authorization header with the NTLM data (Message type 1). This works I get a string like:

NTLMSSP²¢1 (±USERS-PCDOMAIN

But what's next? I've to send this string to the server where my AD's running right? So my server is known as SERVER1.DOMAIN and has the IP 192.168.1.14 .

With which protocol and in which way can I send now the Message Type 1 to my AD server to get the NTLM challenge message (type 2) back?

I guess I'll have to write something like this:

<?php

$fp = fsockopen("192.168.1.14", 80 /* <--- which port? */, $errno, $errstr, 30);

if (!$fp)
    die("$errstr ($errno)");

fwrite($fp, $headers['Authorization'] . "\r\n");

$ntlmChallengeData = '';

while (!feof($fp)) {
    $ntlmChallengeData .= fgets($fp, 128);
}

fclose($fp);

var_dump($ntlmChallengeData); // The challenge data

But on which port does the Windows Server respond to my NTLM data?

Answer 1

This is not possible using only PHP. Validating NTLMv2 credentials requires SecureChannel encrypted RPCs with the NETLOGON service of an Active Directory DC. It is an understatement to say that that is a difficult thing to do.

In a Linux environment your best bet would be to maybe look into the Samba "winbind" package and do the auth at the Apache level. These modules have always been a little clumsy IMO but mod_auth_kerb and mod_auth_winbind are the standard modules for this type of thing last I checked.