#StackBounty: #php #iis #windows-server-2016 #ntlm #iis-10 IIS / PHP not passing (or passing incorrect) NTLM user information

Bounty: 50

I am currently migrating PHP applications from IIS 8.0 to IIS 10.0. NTLM/Windows Authentication has been installed through Server Manager, the scripts are running on PHP7.1, are using exactly the same configuration and files which were present in the old server, the configuration inside IIS is pretty much the same, the website on which I am trying to use it, has been converted into an application, Authentication is set to only Windows Authentication, is enabled, has both NTLM and Negotiate enabled, no extended protection enabled, kernel-level enabled.

While running a script which has phpinfo in it, the user account shown under _SERVER[“LOGON_USER”] is incorrect (shows the user, which I am using to connect to the server itself, not the user, who is connecting to the application from their own PC), not the current logged-on user. When trying to connect to the application, it requests me to log in, while it should take the user information automatically.

The only difference the old and new server is having, apart from version differences, is that the server runs only on HTTPS instead of mixed, yet even when turning off the redirect rule, it still requests to log in.

Expected behaviour would be that the application loads automatically and gets the information from the user’s browser / 401 Challenge request without extra information required to be entered by the end user.

CGI has Impersonate User set to True.
Website is set to Local Intranet in IE settings.

Does anyone have an idea, which might be causing it, what should I check or what I could have missed?

Screenshot from the server with the details changed to generic ones.


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.