使用Kerberos进行PHP Active Directory身份验证

Not freeware solution - google by 'Plexcel' keyword

If you are using Active Directory, its possible your webserver is IIS, which has inbuilt kerberos*.. then just let the browser & webserver handle the authentication and use some PHP like:

$user = isset($_SERVER['AUTH_USER']) ? $_SERVER['AUTH_USER'] : false; 
if((false === $user) or ('' == $user)){
//Divert to incorrect password page.. 
//MSIE typically tries three times, Kerb/NTLM/Plain
//FF will only try NTLM/Plain if configured for NTLM
//Chrome.. won't work with this at all.. not that I have discovered.
//If testing locally using Apache, user will be 0
}

Now you can do SSO using Kerberos, works a charm.

*: Called "Integrated Windows Authentication" http://support.microsoft.com/kb/324274 and must be enabled in browser by setting "Security Zone" to "Local Intranet".. which may happen if the IIS box is actually on the Local Intranet.. but it depends on the SPN and the domain the User's box and IIS box and any trust relationships.. if its on a single domain with the domain name/machine name the same it should work. If you are clustering or anything fun, expect a major headache, rather than just a normal headache. You can script/GPO the IE settings if you feel the need..

Hopefully you are asking about something else.. If I prayed it would be that you didn't implement this, it causes the whole authentication process for every single request.. which turns out slows down every page load.. no matter how many aggregations/hacks/workarounds you implement.. it was just a bad idea, but once you start or tell a manager about it, they really love it because it saves them having to login again.. oh, they will still complain about speed, but..

There's a krb5 module for PHP. It has a PECL entry although no packaging yet. You can find out more about it here:

http://mbechler.eenterphace.org/blog/index.php?/archives/12-php_krb5-releases.html