So I have a nifty script (thanks to the help of some responders to a previous question), that allows a person to enter their username & password from Win AD using LDAP.
Taking that a step further I'd like to be able to see if the person has already authenticated their session on the PC and use that information instead of them entering new stuff. Someone did reference SSPI, which I wrote a little script to give me the persons username... this is ALMOST what I want.
Problem with SSPI (from what I can see, please correct me here), is that if the person doesn't have an authenticated AD session the browser asks for one in one of the tradition pop-up boxes which the user is also forced to type their DOMAIN\ before the user. I would like to have them visit my login form, not use the browser pop-up.
I look forward to your thoughts.
After answering to your previous question, I thought you'd come to this point. Unfortunately, there's no transparent solution for this. I know that since I tried the exact same thing a few weeks ago and did A LOT of research. The best you can do about it is that you configure Apache to only ask for SSPI authentication when a user tries to access your login page (and only there, to avoid the browser's auth interface popping up where and when you don't want it) and NOT require a valid user/pass combination.
So, if the user is logged into the domain, the browser (if capable/configured) will automatically pass his AD username and if not - will ask for a username and password. And here's the tricky part - if he/she fails to provide a correct combination, since a successful login is not required, this will be remembered for the session and you can fall back to your custom login form, where you can use PHP's LDAP functions to give them the ability to retry.