NTLM Authentication

Ask about general coding issues or problems here.

Moderators: egami, macek, gesf

mallett76
New php-forum User
New php-forum User
Posts: 24
Joined: Tue Apr 19, 2022 8:36 am

Thanks for sending over the link on kerberos https://packagist.org/packages/tangervu/activedirector
I was reviewing the howto.txt file. It looks like there are some steps involved in setting it up. The howto.txt file, at the top states the following:

How to enable ActiveDirectory on Apache server running on Linux
===============================================================

Example configuration:
----------------------

- Apache/Linux server: Fully qualified domain name server123.example.org.
This server is virtual hosting someservice.net and anotherexample.org.

- ActiveDirectory servers: Default server running at
activedirectory-example.net (realm ACTIVEDIRECTORY-EXAMPLE.NET). Local
server also found at local.activedirectory-example.net. (realm
LOCAL.ACTIVEDIRECTORY-EXAMPLE.NET)

ActiveDirectory server:
-----------------------

- Create an ActiveDirectory account for the Apache/Linux server (example
login: servers.server123)

- Connect the created ActiveDirectory account to the Apache/Linux server:
setspn -a HTTP/<hostname> <account login>

*************** ***************************************

So, my question is, I'm running the PHP script on windows, I am thinking that I can take the steps in the how to, because it references Apache, but can you confirm? If so, it looks like the first step is to create an active directory account. I'm not sure how to do so; however, I found a link that looks like it does show the steps to do so, found at: https://www.technipages.com/windows-install-active-directory-users-and-computers
User avatar
Michalio
php-forum Fan User
php-forum Fan User
Posts: 103
Joined: Sun Jul 18, 2021 1:33 pm
Location: Poland

AD is an additional functionality for windows server. I configured it last time at school on windows xp, so my knowledge about AD is outdated.
Maybe it will help you: https://www.youtube.com/watch?v=h3sxduUt5a8
Free coding lessons: https://php-forum.com/phpforum/viewtopic.php?t=29852
mallett76
New php-forum User
New php-forum User
Posts: 24
Joined: Tue Apr 19, 2022 8:36 am

Thanks, for this link. I plan on looking at https://www.youtube.com/watch?v=h3sxduUt5a8 to learn how to set up an active directory.
mallett76
New php-forum User
New php-forum User
Posts: 24
Joined: Tue Apr 19, 2022 8:36 am

Hello,
So, I was reviewing the website https://www.youtube.com/watch?v=h3sxduUt5a8 - the link to set up an active directory. The first step that this video talks about is needing to make sure your computer has a static ip address. Looks like the server that I'm running the website on at work does have a static ip address. However, my work laptop, which I generally use for testing doesn't have a static ip address, it has a dynamic ip address. Now, I did take a crack at trying to set up a static ip address on my laptop with a wireless internet connection(which bear in mind does use VPN) - and that didn't work too well. I lost connection to the Internet/wasn't able to work for a few. So - I quickly turned it back to the dynamic, and my Internet connection was restored.
From what I read on another site, to set up a static ip address on a windows computer one would
1. go to the wireless icon. Select open network connections and internet settings
2. change adapter options
3. Then, there are a series of sections to fill out
a. IP address - I'm assuming it's the ip address of the current connection - (IPv4 Address. . . . . . . . . . . : 10.30.20.114)
b. Subnet mask - when I select ipconfig, is the subnet mask under the ip address? Subnet Mask . . . . . . . . . . . : 255.255.255.255 - So, in this case I would use 255.255.255.255?
c. Default gateway - On my ipconfig - I see Default Gateway . . . . . . . . . : 0.0.0.0 - but is 0.0.0.0 even a legitimate gateway, can I use it?
d. Preferred dns - Not sure what to select on that one
e. Alternet dns - not sure what to select on that one either

Here is my windows ip configuration - any assistance would be greatly appreciated.

Windows IP Configuration


PPP adapter _Common_Desktop-Remote_splitv6 - rv02wc.vpn.comcast.net:

Connection-specific DNS Suffix . : cable.comcast.com
IPv6 Address. . . . . . . . . . . : 2001:558:1404:30::d539
Link-local IPv6 Address . . . . . : fe80::d539%49
IPv4 Address. . . . . . . . . . . : 10.30.20.114
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0

Ethernet adapter Ethernet:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : cable.comcast.com

Wireless LAN adapter Local Area Connection* 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Wireless LAN adapter Local Area Connection* 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . : hsd1.ma.comcast.net
IPv6 Address. . . . . . . . . . . : 2601:18c:80:1f30::fd98
Link-local IPv6 Address . . . . . : fe80::7179:a790:b624:2803%3
IPv4 Address. . . . . . . . . . . : 10.0.0.111
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::4af7:c0ff:fee6:6432%3
User avatar
Michalio
php-forum Fan User
php-forum Fan User
Posts: 103
Joined: Sun Jul 18, 2021 1:33 pm
Location: Poland

You do not need a static IP in public domain. If you eed a static IP for testing you can test it inside your network and you can use the IP from your network and you will have the same IP all the time even if you didn't configured the static address. So you can use the IP from 10.x.x.x or 192.168.x.x network
Free coding lessons: https://php-forum.com/phpforum/viewtopic.php?t=29852
mallett76
New php-forum User
New php-forum User
Posts: 24
Joined: Tue Apr 19, 2022 8:36 am

Sorry, I'm a little confused.
Per the video found at: https://www.youtube.com/watch?v=h3sxduUt5a8 - if I want to set up an AD, it says the first step that I need to do, is to set up a static domain.
So, are you saying, that that to set up a domain, one doesn't need to set up a static domain?
As mentioned, it looks like the work server has a static domain; however, the laptop that I would test from doesn't have a static domain.
The reason that I was looking into the static domain, was because the site https://www.youtube.com/watch?v=h3sxduUt5a8 advised me to. However, if a static domain isn't a requirement to set up an AD, that's fine, please confirm either way though.
mallett76
New php-forum User
New php-forum User
Posts: 24
Joined: Tue Apr 19, 2022 8:36 am

Sorry, in my previous post, I was saying setting up a static domain, I meant to say static ip address.
tekmunkey
php-forum Active User
php-forum Active User
Posts: 34
Joined: Wed Apr 27, 2022 11:24 am

Michalio wrote: Wed May 11, 2022 2:27 pm You do not need a static IP in public domain. If you eed a static IP for testing you can test it inside your network and you can use the IP from your network and you will have the same IP all the time even if you didn't configured the static address. So you can use the IP from 10.x.x.x or 192.168.x.x network
mallett76 wrote: Thu May 12, 2022 5:13 am Sorry, I'm a little confused.
Per the video found at: https://www.youtube.com/watch?v=h3sxduUt5a8 - if I want to set up an AD, it says the first step that I need to do, is to set up a static domain.
So, are you saying, that that to set up a domain, one doesn't need to set up a static domain?
As mentioned, it looks like the work server has a static domain; however, the laptop that I would test from doesn't have a static domain.
The reason that I was looking into the static domain, was because the site https://www.youtube.com/watch?v=h3sxduUt5a8 advised me to. However, if a static domain isn't a requirement to set up an AD, that's fine, please confirm either way though.
mallett76 wrote: Thu May 12, 2022 5:14 am Sorry, in my previous post, I was saying setting up a static domain, I meant to say static ip address.
What Michalio is saying is that your Active Directory Server does not need to be on the open internet, so you do not need a static IP on the open internet.

Instead of that, Michalio has suggested that you get yourself a router which provides a LAN-Side, and that you set up your static IPs on the LAN side.
mallett76
New php-forum User
New php-forum User
Posts: 24
Joined: Tue Apr 19, 2022 8:36 am

So, to confirm,
I do not need to set up a static ip address to set up an active directory?
User avatar
Michalio
php-forum Fan User
php-forum Fan User
Posts: 103
Joined: Sun Jul 18, 2021 1:33 pm
Location: Poland

Yes, for testing you can use any IP. You can even use loopback address (localhost / 127.0.0.1) just for testing.
Free coding lessons: https://php-forum.com/phpforum/viewtopic.php?t=29852
tekmunkey
php-forum Active User
php-forum Active User
Posts: 34
Joined: Wed Apr 27, 2022 11:24 am

mallett76 wrote: Fri May 13, 2022 5:46 am So, to confirm,
I do not need to set up a static ip address to set up an active directory?
Michalio wrote: Fri May 13, 2022 7:35 am Yes, for testing you can use any IP. You can even use loopback address (localhost / 127.0.0.1) just for testing.
Apart from that, Active Directory is just a name Microsoft gave to a collection of protocols and services bundled together and configured to interact in a particular way. Those protocols and interactions include NetBIOS and DNS, such that inside an AD Domain you should be able to assign DNS resolution to NetBIOS Hostnames, so AD should work on a network where absolutely every IP Address is assigned via DHCP.

So within an Active Directory Domain, you should be able to assign a DNS-style name like 'humanresources.mydomain.com' to a NetBIOS Hostname like HR-DESKTOP-PC, rather than have to assign a static IP address to HR-DESKTOP-PC. I do not recommend this, I am just pointing out that this is how Active Directory is intended to operate.
mallett76
New php-forum User
New php-forum User
Posts: 24
Joined: Tue Apr 19, 2022 8:36 am

OK, great - thanks for confirming.
tekmunkey
php-forum Active User
php-forum Active User
Posts: 34
Joined: Wed Apr 27, 2022 11:24 am

I really recommend Michalio's method, where you set up static IPs within a routed LAN rather than go pay a heap to your ISP for a static IP on the internet.

I do not at all recommend that you run an AD on the open internet ever, at all, for any reason. If you have a need to link internet users to your AD, you should use a VPN.
mallett76
New php-forum User
New php-forum User
Posts: 24
Joined: Tue Apr 19, 2022 8:36 am

I think I'm beginning to piece it all together.
The dynamic ip address - for testing purposes is fine. As being dynamic, the ip address would always be changing - so it wouldn't do much good to have the site accessible to the public where the ip address would be changing.
However, the static ip address is ideal when I actually put the site live, as then we'll want to have the ip address constant - yes this makes sense.
The site is actually on my company's intranet. And where it resides are on servers, which are static - so I'm good there, I guess in my goal to get kerberos authentication going, next my next step is work on adding an active directory to the company servers. As well as my own work laptop(which is dynamic) - but that is fine, as I'm only going to test out the planned keberos updates on my laptop, before I put it on production.
tekmunkey
php-forum Active User
php-forum Active User
Posts: 34
Joined: Wed Apr 27, 2022 11:24 am

mallett76 wrote: Fri May 13, 2022 12:56 pm The dynamic ip address - for testing purposes is fine. As being dynamic, the ip address would always be changing - so it wouldn't do much good to have the site accessible to the public where the ip address would be changing.
Correct, but to be frank AD is a Charlie Foxtrot. I assume that you have a pre-existing AD Tree and you just want a website or service to be accessible for login using existing AD credentials.

The larger reason I do not recommend putting AD on the open internet is because AD is CF. Anything that complicated is inherently impossible to audit. I would compare AD security to helicopter maintenance; a helicopter is over 100,000 moving parts and a microscopic chip or crack in any one of them can cause the thing to randomly fall out of the sky like a brick.
mallett76 wrote: Fri May 13, 2022 12:56 pm However, the static ip address is ideal when I actually put the site live, as then we'll want to have the ip address constant - yes this makes sense.
Anything you point a real public domain name at should have a static IP on the internet. Whether you have a static IP or not, I recommend strongly against putting AD on the open internet, as detailed above.
mallett76 wrote: Fri May 13, 2022 12:56 pm The site is actually on my company's intranet. And where it resides are on servers, which are static - so I'm good there, I guess in my goal to get kerberos authentication going, next my next step is work on adding an active directory to the company servers. As well as my own work laptop(which is dynamic) - but that is fine, as I'm only going to test out the planned keberos updates on my laptop, before I put it on production.
If you are doing this internally, why not just throw down a couple grand on a regular Windows Server license and run AD natively? The absolute only time I ever had a reason to spin up an AD server in Linux was to satisfy the requirements of QuickBooks multi-user server for Linux, and after I went to all that trouble I discovered that QB is a CF itself and would not run. At that point it is proprietary trash so you cannot download the source and fix the problems created by outsourcing to the lowest bidder, so I would say that there is never a good reason to set up AD in Linux.
mallett76
New php-forum User
New php-forum User
Posts: 24
Joined: Tue Apr 19, 2022 8:36 am

So, I was finally able to set up an active directory on my laptop. So, getting back to the site https://github.com/tangervu/ActiveDirectory.php/blob/master/HOWTO.txt - where my end goal is to create Kerberos authentication on PHP - it looks like https://github.com/tangervu/ActiveDirectory.php/blob/master/HOWTO.txt are instructions to set up Kerberos authentication on linux. I'm working with windows. So, I'm not sure if this site https://github.com/tangervu/ActiveDirectory.php/blob/master/HOWTO.txt is the best one for my purposes. Is it? Or are the steps that I take with windows the same as linux?
mallett76
New php-forum User
New php-forum User
Posts: 24
Joined: Tue Apr 19, 2022 8:36 am

Hello Michalio,
Looking more at the site you suggested to set up Keberos - https://packagist.org/packages/tangervu/activedirectory
Reading the https://github.com/tangervu/ActiveDirectory.php/blob/master/HOWTO.txt
It says:
"Create an ActiveDirectory account for the Apache/Linux server (example
login: servers.server123)"

So, I'm working with Windows 10 pro, and when I go to active directory users and computers. Then I go to the pane > action > I should see the option for "new user" - I'm not seeing the "new user" option. I see delegate control, find, all tasks, refresh, export list, properties, and help as options, but not new user. Is there a different way to add new user?
Post Reply