Hi!
I've tried to find here the information about what does IIS 7 actually do with the Windows authentication information. I'm creating a SSO login page in the intranet (possibly some day should also work in the internet but let's not talk about that now). What I've understood with all my searching about this stuff, it ain't actually possible with IIS and PHP to send and receive all these headers used for HTTP authorization to actually authenticate to being a user on same domain. If I'm wrong about this, could you please tell me how it's done?
So I've got Windows authentication on and the rest off on my IIS. Now I'm just thinking can I be absolutely certain that if a user gots the $_SERVER variables like AUTH_NAME, AUTH_TYPE etc. from the server, he actually is a valid user logged in on the same domain? Only thing I've been able to check is that AUTH_NAME is DOMAIN\username but I just don't want to count on it if there's a way to cheat this.
So my actual question is, does IIS do the authorization automatically before even giving browser these $_SERVER variables with Windows authentication? The $_SERVER["HTTP_AUTHORIZATION"] gotten is "Negotiate <some thousands of characters>". Should I somehow use this to communicate with the server?