5 Replies Latest reply on Dec 15, 2016 8:26 PM by eat_k

    Kerberos Authentification in PHP

    eat_k

      Hi,

       

      Currently, we have a server with PI Web API and I would like to write a php script to retrieve values from it. Our server supports Kerberos authentification as we have a LDAP Server managing user accesses. For starters, I used the following references :

      - PI Web API and Kerberos Authentication via PHP https://pisquare.osisoft.com/thread/14070

      - Developping with PI Web API https://pisquare.osisoft.com/docs/DOC-1940

      -Developing a PHP application using PI Web API

      - Php Manual for Kerberos Library

       

      And the main lines of code I put together so far (comes from the first link) :

      $username = 'domain\\username'; //for testing purpore, not staying here in the final version
      $password = 'password';         //for testing purpose, not staying here in the final version
      $url = 'https://mypiserver/piwebapi';
      
      
      $ch = curl_init ( $url );  
      curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, true );
      curl_setopt ( $ch, CURLOPT_SSL_VERIFYPEER, false );
      
      
      curl_setopt($ch, CURLOPT_GSSAPI_DELEGATION, CURLGSSAPI_DELEGATION_FLAG);
      curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE);
      curl_setopt($ch, CURLOPT_USERPWD, $username.":".$password);
      $result = curl_exec ( $ch );
      
      
      
      
      
      
      

       

      However, I get a HTTP 401 header in the response, as the authentification failed. I tried the other solutions above, but no success so far, and I can't seem to figure out exactly where the problem comes from. I suspect the credentials to be wrongly formatted but I have no clues about how to ensure it is the correct way.  Am I doing something wrong ?

       

      Thank you.

       

      --

      Y.E.

        • Re: Kerberos Authentification in PHP
          gregor

          Hello Kim,

           

          Does your PHP client have access to the DC?

          Can you try using a browser? If it works after prompting you for credentials, security falls back to NTLM. Kerberos is based on tickets and does not include sending username or password over the wire. By the way, with username and password in your application, please don't expect using Kerberos authentication.

          You can use klist.exe command to verify the local tickets.

          Are you executing the PHP script within another application e.g. a Web application? If so, is this application configured to support Kerberos? A web application usually also is an additional hop meaning that the ticket needs to be forward able. Ticket forwarding from one service to another is also referred to as Kerberos Delegation and must be explicitly configured on the DC. 

           

          In Developing a PHP application using PI Web API Marcos Vainer Loeff is referencing Using PI Web API with Angular 2 where he is using Basic authentication. Please note that under certain circumstances Kerberos is not an available option and you need to stick with Basic authentication.

            • Re: Kerberos Authentification in PHP
              eat_k

              Hello Gregor,

               

              First, thanks for the answer.

              When I use a web browser, I can access the API. No credentials are prompted, as I think the browser is using my windows authentification through the LDAP Server.

               

              As you might have noticed, I am new to Kerberos and what I know is limited to basic documentation not related to the php part.

              Thus, the php script, at the moment, is only a proof of concept, in order to test some ideas before a possible future integration in a website. For that, we are using an Apache server on Windows and as you said, I might need to configure Kerberos on it. Do you have any documentation about how I can do that ? Google does not give really reliable links (as most of them are for Linux).

               

              For now, we would like to use Kerberos for authentification. I am not sure about being able to use Basic, I have to check with our person in charge.

              EDIT : The complexity of our infrastructure does not allow us to use Basic Authentification.

                • Re: Kerberos Authentification in PHP
                  gregor

                  Hello Kim,

                   

                  I understand that you like to use PHP in a Web Application hosted on a Windows Server but why do you like to use Apache instead of Internet Information Services?

                   

                  If you envision Kerberos authentication, clients will have to send their service specific Kerberos tickets to your web application which needs to be able to forward the clients Kerberos ticket to PI Web API who will need to forward it to your AF Server / PI Data Archive host. This means tickets need to be relayed over multiple hops which by default is disallowed. My suggestion is configuring Constrained Delegation (please see KB01222 - Types of Kerberos Delegation) for any authentication protocol but I strongly recommend you to verify with your IT about their policies.

                   

                  My experience is that configuring Kerberos Delegation deserves a lot of patience. I have seen many times that changes are not effective immediately and even rebooting doesn't help to expedite things. While pulling my hear and wondering why it's still not working, it suddenly started to work.

                   

                  Based on this experience, I suggest to not increase complexity by adding an 'unknown variable'. If you still like to stick with Apache, I suggest you search for '"Apache on Windows" Kerberos' (without the single quotes). I also like to repeat Marcos' suggestion to use Fiddler or any other tool that allows you to check the authentication header of each request.

                    • Re: Kerberos Authentification in PHP
                      eat_k

                      Hello Gregor,

                       

                      The script we would like to write was supposed to be, at the end, added to an already existing php application, running on apache. That's why we are right now testing the script on apache. As you might have suggested though, using apache does not seem to be a great idea and based on your experience, moving to IIS and rebuilding configuration files might just be easier in that case.

                       

                      As such, we tried using IIS with the original code from PI Web API and Kerberos Authentication via PHP https://pisquare.osisoft.com/thread/14070

                      It works, to some extent, we just can't access the AF Server for the moment. To my understanding, it is missing the last forwarding of ticket from the PI Web API to the AF server. We are right now looking into it, with the help of The common encountered problems and KB01222 - Types of Kerberos Delegation you gave me.

                       

                      Using apache will surely be set aside, we will look a bit more into using kerberos on apache as a side project, but I don't think it will be easy. Our main solution will for now use IIS.

                       

                      I will thus mark this question as solved and I thank you all for the answers you brought me.

                       

                      Best regards,

                       

                      --

                      Y.E.

                • Re: Kerberos Authentification in PHP
                  Marcos Vainer Loeff

                  Hello,

                   

                  If you are using Kerberos, you don't need to type the username and password. If should use your client credentials which is running PHP application. Please check my code again on this thread and try again. Make sure that you are using Kerberos for the AuthenticationMethods.

                   

                  On top of what Gregor has mentioned, I would download and install Fiddler to check if the authentication header sent by PHP is correct. You should also try to use Basic authentication.

                  2 of 2 people found this helpful