5

I am trying to access a SOAP WebService using PHP. The service is a windows service which is installed and configured on-site of the customer. The server I am connecting to is configurable to accept two different authentication modes. NTLM or SPNEGO.

I was able to successfully connect without problems to the server when it is configured to use NTLM, using the following extension class to SoapClient:

class NTLMSoapClient extends SoapClient {
  function __doRequest($request, $location, $action, $version, $one_way = NULL) {
    $headers = array(
      'Method: POST',
      'Connection: Keep-Alive',
      'User-Agent: PHP-SOAP-CURL',
      'Content-Type: text/xml; charset=utf-8',
      'SOAPAction: "'.$action.'"',
    );
    $this->__last_request_headers = $headers;
    $ch = curl_init($location);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_POST, true );
    curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
    curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
    curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_NTLM);
    curl_setopt($ch, CURLOPT_USERPWD, "<user>:<password>");
    $response = curl_exec($ch);
    return $response;
  }
  function __getLastRequestHeaders() {
    return implode("\n", $this->__last_request_headers)."\n";
  }
}

However, if I configure the server to use SPNEGO insted of NTLM, it obviously does not work out of the box. I tried to change the following:

curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);

After searching around and experimenting I found people suggesting to supply the username only without a password:

curl_setopt($ch, CURLOPT_USERPWD, "<user>");

None of the above worked. CURL always responds with HTTP 401 Unauthorized.

Running a phpinfo(); results in PHP telling me that CURL has SPNEGO enabled.

So, I reckon that it might not be that "easy" to enable SPNEGO for my request, but I have never worked with it and I could not find any resources of how to do a SPNEGO-request with PHP, so either I am missing something or maybe I need an other approach alltohether. Any hints or suggestions are appreciated.

Note: Unfortunately I need to connect to various instances of this service. Although we are almost always in charge of managing the service, SPNEGO is the default and many of our customers do not wish to change it to NTLM, so I am forced to support both modes.

Hemisphera
  • 816
  • 6
  • 23

0 Answers0