There is an intranet resource written in PHP. Runs under IIS6 (FastCGI). Automatic windows-authentication using IIS is required.

When enabled in IIS Integrated Windows Authentication (and disabling Anonymous access), authentication works fine, but there is a problem. The fact is that my application uses SQL Server for work, which is configured only for windows-authorization, so the application for each authorized user tries to connect to the database under this user, but does not have rights to it.

Authorization using SQL Server cannot be enabled for some reason. In any case, it is required to connect to the database using a dedicated domain account affiliated with the Application Pool on IIS.

We tried to disable impersonalization (fastcgi.impersonate = 0 in php.ini), but automatic authentication is lost and strange browsers work:

  • IE opens the standard domain authorization dialog, but does not accept the password even if it is 100% correct.
  • Chrome just falls off with ERR_INVALID_AUTH_CREDENTIALS and that's it.
  • FF opens the standard domain authorization dialog and without any problems authorizes me under my account and then I see that everything works as it should (different accounts in _SERVER ["AUTH_USER"] and SQL User).

How can I provide automatic authentication, but always use a dedicated account to work with the database?

  • I understand correctly, do you have a problem with IIS and php when disabling fastcgi.impersonate? In this case, what about the SQL Server? - Pavel Mayorov
  • Automatic authentication itself when impersonalization (impersonation) is enabled works fine, the problem becomes visible when the application is connected to SQL Server. I only need authentication for the application logic, but when connecting to the database, the same account should always be used for all NTLM authorized users. - Anton Zikov
  • What does it have to do with impersonation enabled? You yourself write - you turned it off, and everything stopped working for you. What does it have to do with SQL Server? He did not stop working. - Pavel Mayorov
  • The fact of the matter is that when impersonation is enabled, the authorization proceeds normally, but it does not suit me that the application tries to connect to the database as an authorized user. And with impersonation turned off, authorization only works under Firefox and then not automatically, but at the same time everything works as it should. The question is, why, when the impersonalization is disabled, did the authentication stop working normally? - Anton Zikov
  • Damn, well, so ask this question ! What does it have to do with SQL Server ?! - Pavel Mayorov

0