50

I have a PHP web application on an intranet that can extract the IP and host name of the current user on that page, but I was wondering if there is a way to get/extract their Active Directory/Windows username as well. Is this possible?

fuentesjr
  • 50,920
  • 27
  • 77
  • 81

17 Answers17

50

Check the AUTH_USER request variable. This will be empty if your web app allows anonymous access, but if your server's using basic or Windows integrated authentication, it will contain the username of the authenticated user.

In an Active Directory domain, if your clients are running Internet Explorer and your web server/filesystem permissions are configured properly, IE will silently submit their domain credentials to your server and AUTH_USER will be MYDOMAIN\user.name without the users having to explicitly log in to your web app.

Sebas
  • 21,192
  • 9
  • 55
  • 109
Dylan Beattie
  • 53,688
  • 35
  • 128
  • 197
  • 2
    only IE passes your credentials through, other browsers just prompt, in which case you just need to supply your domain credentials (domain\username and password). – CodeMonkey1313 Aug 25 '09 at 15:15
  • 7
    Firefox supports (automatic) integrated authentication, too. see https://developer.mozilla.org/en/Integrated_Authentication – VolkerK Mar 20 '10 at 23:21
  • 1
    In case my app performs sensible operations: May I ultimately trust the passed AUTH_USER? Clients are part of a well-administered corporate intranet. Beside AUTH_USER, I need to know if user belongs to a certain group. Will this information be passed too? And finally, do you have an URL describing your information? – SteAp Nov 09 '11 at 23:40
  • Thank you for this answer. One has to remember to disable Anonymous access in IIS and turn on Windows Integrated Authentication. Using Intraweb it is the possible to get then authenticated user using WebApplication.Request.GetFieldByName('AUTH_USER') – Pieter van Wyk Sep 16 '14 at 15:57
  • 1
    I have the Windows integrated authentication and even with IE the user is asked. I can-t make it work with IIS. – manou Jun 01 '15 at 20:20
  • @Simurr it isn't just possible with IE, most other browsers support it but only in IE is it enabled for the entire internet by default the others you have to enable it manually before you can use it, for firefox you can use this addon or manually set the config https://addons.mozilla.org/en-GB/firefox/addon/integrated-auth-for-firefox/ – MikeT Feb 06 '17 at 11:52
  • @MikeT given that my comment was from '08, it probably was only possible in IE, though I only vaguely remember looking into it. Good to know it works now. – Simurr Feb 06 '17 at 21:21
  • Thank you team. But my case is different. I have lots of application hosted in the same server. So I wanted to have AD credential fetched from local user's machine for only one application. If I enable the AD Authentication and disable anonymous access, all other apps will also populate for AD credentials. Hence please suggest what can I do for individual application only. – Rajan Aug 21 '18 at 09:54
17

I've got php mysql running on IIS - I can use $_SERVER["AUTH_USER"] if I turn on Windows Authentication in IIS -> Authentication and turn off Anonymous authentication (important)

I've used this to get my user and domain:

$user = $_SERVER['AUTH_USER'];

$user will return a value like: DOMAIN\username on our network, and then it's just a case of removing the DOMAIN\ from the string.

This has worked in IE, FF, Chrome, Safari (tested) so far.

Sebas
  • 21,192
  • 9
  • 55
  • 109
Schwarz.Oz
  • 189
  • 2
  • 8
  • I have php running on IIS and only Windows Authentication enabled for this site. I don't have this information. What could I recheck? – manou Jun 01 '15 at 20:23
  • After turning on Windows Authentication in IIS -> Authentication and turn off Anonymous authentication it worked for me. Thank you, Cheers! – user752746 May 08 '19 at 18:06
  • Thank you for this! Is there also something that will pull the info associated with the Win AUTH ID? First Name, Last Name, etc. – Cody O'Meara Mar 07 '22 at 15:46
4

Look at the PHP LDAP library functions: http://us.php.net/ldap.

Active Directory [mostly] conforms to the LDAP standard.

warren
  • 32,620
  • 21
  • 85
  • 124
4

We have multiple domains in our environment so I use preg_replace with regex to get just the username without DOMAIN\ .

preg_replace("/^.+\\\\/", "", $_SERVER["AUTH_USER"]);
GMR
  • 111
  • 1
  • 1
  • 9
3

If you're using Apache on Windows, you can install the mod_auth_sspi from

https://sourceforge.net/projects/mod-auth-sspi/

Instructions are in the INSTALL file, and there is a whoami.php example. (It's just a case of copying the mod_auth_sspi.so file into a folder and adding a line into httpd.conf.)

Once it's installed and the necessary settings are made in httpd.conf to protect the directories you wish, PHP will populate the $_SERVER['REMOTE_USER'] with the user and domain ('USER\DOMAIN') of the authenticated user in IE -- or prompt and authenticate in Firefox before passing it in.

Info is session-based, so single(ish) signon is possible even in Firefox...

-Craig

Batuhan
  • 280
  • 3
  • 16
CrayFishUK
  • 53
  • 4
2

If you are looking for retrieving remote user IDSID/Username, use:

echo gethostbyaddr($_SERVER['REMOTE_ADDR']);

You will get something like iamuser1-mys.corp.company.com

Filter the rest of the domain behind, and you are able to get the idsid only.

For more information visit http://lostwithin.net/how-to-get-users-ip-and-computer-name-using-php/

Eddy Goh
  • 256
  • 5
  • 11
2

You could probably authenticate the user in Apache with mod_auth_kerb by requiring authenticated access to some files … I think that way, the username should also be available in PHP environment variables somewhere … probably best to check with <?php phpinfo(); ?> once you get it runnning.

hangy
  • 10,765
  • 6
  • 43
  • 63
2

Use this code:

shell_exec("wmic computersystem get username")
AS Mackay
  • 2,831
  • 9
  • 19
  • 25
NightwingDFMX
  • 21
  • 1
  • This answer is better than the other at this stage because it helps to see the username connected to the computer. – pollux1er Dec 17 '21 at 08:36
1

You can say getenv('USERNAME')

Mike
  • 1,853
  • 3
  • 45
  • 75
Someone
  • 10,405
  • 23
  • 67
  • 100
1

Check out patched NTLM authentication module for Apache https://github.com/rsim/mod_ntlm

Based on NTLM auth module for Apache/Unix http://modntlm.sourceforge.net/

Read more at http://blog.rayapps.com/

Source: http://imthi.com/blog/programming/leopard-apache2-ntlm-php-integrated-windows-authentication.php

blomman9
  • 1,594
  • 2
  • 9
  • 7
0

get_user_name works the same way as getenv('USERNAME');

I had encoding(with cyrillic) problems using getenv('USERNAME')

Kornilov Ruslan
  • 133
  • 1
  • 3
0

No. But what you can do is have your Active Directory admin enable LDAP so that users can maintain one set of credentials

http://us2.php.net/ldap

Peter Bailey
  • 105,256
  • 31
  • 182
  • 206
  • 4
    You don't have to enable LDAP since it's a core component of Active Directory. – VVS Oct 03 '08 at 20:00
0

Referencing trying to also figure out if AUTH_USER is part of a particular domain group; a clever way to do this is t create a locked down folder with text files (can be blank). Set security to only having the security/distro group you want to validate. Once you run a @file_get_contents (<---will toss a warning)...if the user does not have group access they will not be able to get the file contents and hence, will not have that particular AD group access. This is simple and works wonderfully.

George
  • 1
0

This is a simple NTLM AD integration example, allows single sign on with Internet Explorer, requires login/configuration in other browsers.

PHP Example

<?php 
$user = $_SERVER['REMOTE_USER'];
$domain = getenv('USERDOMAIN');

?>

In your apache httpd.conf file

LoadModule authnz_sspi_module modules/mod_authnz_sspi.so

<Directory "/path/to/folder">
    AllowOverride     All
    Options           ExecCGI
    AuthName          "SSPI Authentication"
    AuthType          SSPI
    SSPIAuth          On
    SSPIAuthoritative On
    SSPIOmitDomain    On
    Require           valid-user
    Require           user "NT AUTHORITY\ANONYMOUS LOGON" denied
</Directory>

And if you need the module, this link is useful:

https://www.apachehaus.net/modules/mod_authnz_sspi/

PodTech.io
  • 4,874
  • 41
  • 24
0

Let's try this, it will get the user name from the Windown login

<?php
echo getenv('username');
?>
mng
  • 11
  • 1
-2

try this code :

$user= shell_exec("echo %username%"); 
    echo "user : $user";

you get your windows(AD) username in php

UserHelpNeeding02356
  • 257
  • 4
  • 4
-3

I tried almost all of these suggestions, but they were all returning empty values. If anyone else has this issue, I found this handy function on php.net (http://php.net/manual/en/function.get-current-user.php):

get_current_user();
$username = get_current_user();
echo $username;

This was the only way I was finally able to get the user's active directory username. If none of the above answers has worked, give this a try.

Purple Lady
  • 481
  • 5
  • 15
  • I think, this way you get the user who is running your PHP on the server and not the user who has logged in on his machine and sends a request from a web browser to your PHP page. In this case you might have a serious security hole, since your PHP page is running as completely different user with different permissions. – JustAMartin Jul 14 '17 at 12:45
  • @JustAMartin I have been testing this for the past several months, and I am consistently getting the user who is logged in on the machine and accessing the website generated by my PHP - not the other way around. – Purple Lady Jul 14 '17 at 17:20