php: forward ntlm credentials to curl

Question

I have a dynamic php page which I need to call with a get parameter. I then want to put the generated html into a string and use it later ( I'm tryign out tonic framework for web services)

So this is similar to PHP - Read dynamically generated (and echoed) HTML into a string? and I tried the answer that uses cURL.

The issue is that authentication is done with ntlm (apache mod_auth_sspi). The php script executing curl is already authenticated, eg only valid users can ever execute it. It is somehow possible to pass on these "credentials" to cURL? (username is available but of course not the password)

Or a completely different approach would be fine too but only idea I had was to make a function that creates a string with html content.

$response = new Response($request);
$format = $request->mostAcceptable(array(
    'json', 'html', 'txt'
        ));

switch ($format) {

    case 'html':
        $response->addHeader('Content-type', 'text/html');
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, 'http://localhost/viewRecord.php?identifier=' . $identifier);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_NTLM); 
        $html = curl_exec($ch);
        curl_close($ch);
        $response->body = $html;
        break;
    //...   
}

Answer 1

I was able to get this to work by adding the following curl options:

curl_setopt($curly[$id], CURLOPT_HTTPAUTH, CURLAUTH_NTLM);
curl_setopt($curly[$id], CURLOPT_UNRESTRICTED_AUTH, true);
curl_setopt($curly[$id], CURLOPT_USERPWD, ":");

There is a bug open for this depending on the version of php: https://bugs.php.net/bug.php?id=62195

Answer 2

This is what worked for me:

curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_NTLM|CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_UNRESTRICTED_AUTH, true);
curl_setopt($ch, CURLOPT_USERPWD, "YOUR_USER:YOUR_PWD");

Answer 3

The answer is simple:

This is not possible.

A workaround is to put all the files (including php, JavaScript and CSS) in a directory that does not need require NTLM authentication.

To achieve this one either needs access to the Apache Configuration and if that is not possible only thing you can hope for is that the Apache Configuration allows overriding SSPI in .htaccess. Allow any authentication (=also none) but limit access to 127.0.0.0 since allrequest come from cURL on the same server.

For authorization, you can put the data in the php session an pass the session cookie on to cURL and then the session data can be used for authorization in the page called from cURL.

EDIT:

I've basically reduced NTLM usage even more. I now have 1 login page (authentication) and everything else is controlled by php session (authorization). See

Apache2, PHP: create automatic ntlm login page