I have an internal PHP app (only for the employees using the domain network) running on IIS with Anonymous Authentication.
The way users are logging in to the app is via a login form (username and password).
That’s why I disabled Windows Authentication and only enabled Anonymous Authentication.
But now there was a request to be able to save failed login attempts and the user that failed. For that I wanted to get the actual Windows user that is trying to connect.
In one of my other apps I am using Windows Authentication so I know I can get the Windows user using PHP’s $_SERVER['AUTH_USER'];
So, I wanted to add that ability on this app and I enabled Windows Authentication as well. However, when both Windows Authentication and Anonymous Authentication are enabled, $_SERVER['AUTH_USER']; returns an empty string.
Then, I disabled Anonymous Authentication and voila! it showed me the Windows user. And also, the login form kept working, i.e., the user still needs to put his username and password.
So I got confused – How does Windows Authentication works? What exactly does it authenticate? Since there is no password or anything, it just gives me the Windows username.
Do I now basically have "two layers" of authentication? The "server" level authentication via the Windows Authentication, and the "app" level authentication (the login form)? (But then again, what exactly does the Windows auth do?)
Can I safely leave the Anonymous Authentication disabled then?
2
Answers
It ensures that the request comes from a logged-on Windows users which is valid on the same domain as the IIS server, and is not anonymous, or somehow from outside the domain. It checks their credentials against Active Directory records. You can read a lot more about it online quite easily, including in-depth explanations of the process it follows.
In IIS you can configure a site to use Kerberos (the default) or NTLM behind the scenes to provide the actual authentication mechanism.
Assuming you don’t need/want anyone who’s not a valid domain user to access your application, then yes.
Yes. You might want to consider whether the form-based authentication process is actually necessary, if you can automatically identify a user from their AD account, without them needing to type anything to your application, or remember any extra usernames and passwords etc. Essentially it’s a form of SSO (single sign-on), albeit one which only works within a Windows domain.
Some useful references to get you started:
You cannot leave anonymous authentication on when you want to enable other IIS authentication methods like Windows/Basic/Digest (all three are challenged based authentication). That’s because anonymous authentication takes highest priority when on, and the browsers won’t be challenged for other methods.
You can authenticate your users using different methods, such as Windows authentication on IIS and forms based authentication in your PHP code. However, if they both verify the same AD user credentials, you don’t get any extra protection.
To understand what is Windows authentication, which is rather complex, you’d better talk to your domain administrators and also study very specific materials (like IIS/AD books). Microsoft has something like this to get you started but you can easily get lost. In short, since a domain controller participates in the Windows authentication process, the browser does not need to send explicit user password but a security token to IIS. Once receiving the token, IIS knows which user it belongs to and your PHP code knows that too.