PHP Apache NTLM Authentication Alternate

Question

I need NTLM authentication to get windows username, which is working fine with my current function.

Only issue I face is, it hits the same page thrice which makes my access log awkward to management(pops up in traffic graph), so before explaining the same to them I wanted to make sure if is there any other way to get windows session data(username).

Below is current code.

function getSysId() {
    $headers = apache_request_headers();
    if (!isset($headers['Authorization'])) {
        header('HTTP/1.1 401 Unauthorized');
        header('WWW-Authenticate: NTLM');
        exit;
    }
    $auth = $headers['Authorization'];
    if (substr($auth, 0, 5) == 'NTLM ') {
        $msg = base64_decode(substr($auth, 5));
        if (substr($msg, 0, 8) != "NTLMSSP\x00")
            return '';

        if ($msg[8] == "\x01") {
            $msg2 = "NTLMSSP\x00\x02\x00\x00\x00" .
                    "\x00\x00\x00\x00" . // target name len/alloc
                    "\x00\x00\x00\x00" . // target name offset
                    "\x01\x02\x81\x00" . // flags
                    "\x00\x00\x00\x00\x00\x00\x00\x00" . // challenge
                    "\x00\x00\x00\x00\x00\x00\x00\x00" . // context
                    "\x00\x00\x00\x00\x00\x00\x00\x00"; // target info len/alloc/offset

            header('HTTP/1.1 401 Unauthorized');
            header('WWW-Authenticate: NTLM ' . trim(base64_encode($msg2)));
            exit;
        } else if ($msg[8] == "\x03") {

            function get_msg_str1($msg, $start, $unicode = true) {
                $len = (ord($msg[$start + 1]) * 256) + ord($msg[$start]);
                $off = (ord($msg[$start + 5]) * 256) + ord($msg[$start + 4]);
                if ($unicode)
                    return str_replace("\0", '', substr($msg, $off, $len));
                else
                    return substr($msg, $off, $len);
            }

            $user = get_msg_str1($msg, 36);

            return $user;
        }
    }
    return false;
}

Answer 1

The NTLM protocol needs two requests to authenticate an HTTP client . This means you will get at minimum 2 requests. If you have one more request, it's because the client first requests the resource without any authentication header, and it is an acceptable behaviour.

If the client requests several resources, you can use the HTTP Keep-Alive in order to keep the connection opened, and all requests coming further should be already authenticated.

Instead of using the whole access log, you could, as with Apache %u field , log the user name in the log and only do your reporting with the logs which have a user name field which is not empty.