So not sure if this is actually feasible or not. But putting a page together for our techs that they can generate certificates with, feed in all the details which creates a CSR then fires off the request to CertSrv to issue the certificate.
I have all that working, but what I'd like to do is feed the clients NTLM through to the curl request so that only users who are permitted to issue X certificate can do so. This also means I don't need to bake credentials into the script.
The page gets NTLM auth from the user with this:
$headers = getallheaders();
if(!isset($headers['Authorization']))
{
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: NTLM');
}
and I can see the NTLM auth header, but I can't feed that into my curl request,
I even tried just setting the Authorization header to the value in the received headers but that doesn't work.
I figure it'd be difficult by design to stop people doing this sort of thing maliciously but is there actually a way around it?
Thanks for any help on this.
so having spent more time researching ntlm, this isnt feasible really. the ntlm hash is generated by the server so to the certsrv server its not usable. the only way to do this without baking in creds is to make it do the certsrv reqs on the client side. (assuming network access / reachability to the certsrv server)