Constrained Delegation under Windows Server 2003

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kevinlo
Forum Newbie
Posts: 1
Joined: Mon Apr 02, 2007 4:38 pm

Constrained Delegation under Windows Server 2003

Post by kevinlo »

I’m having a somewhat complex problem with Kerberos delegation and PHP. Running PHP cgi version 4.3.8.8 under IIS6. The PHP application needs to forward the user’s credentials to SQL Server running on a separate machine. I’m able to get this to work using the php cgi program and setting up “Normal” delegation in Active Directory. The customer, however, requires constrained delegation to be used. This requirement is due to the initial login with Secure Channel and the need to transition to Kerberos, an option only supported under constrained delegation.

I’ve been able to get an ASP script to work with constrained delegation. In Active Directory we set delegation for the IIS machine to “Trust this computer for delegation to specified services only” and select the option “Use any application protocol”. We then specify the SPN for MSSQLServer.

However, with the same settings in AD, PHP returns the error “Login failed for user ‘(null)’. Reason: Not associated with a trusted SQL Server connection.”. This is an ODBC connection.

Because normal, non-constrained, delegation works with PHP, it seems possible to get constrained delegation to work, but I’ve had no luck yet. I’ve tried the php isapi extension which had problems with our applications. FastCGI did not impersonate the user at all

I’ve exhausted searching the internet and php groups for answers. I even opened a ticket with Microsoft, but their support ended with ASP. Any ideas? Is this possible?

Thanks, Kevin
Post Reply