Constrained Delegation issue with PHP under IIS

[kevinlo]

I’m having a somewhat complex problem with Kerberos delegation and PHP.  Running PHP cgi version 4.3.8.8 under IIS6.  The PHP application needs to forward the user’s credentials to SQL Server running on a separate machine.  I’m able to get this to work using the php cgi program and setting up “Normal” delegation in Active Directory.  The customer, however, requires constrained delegation to be used.  This requirement is due to the initial login with Secure Channel and the need to transition to Kerberos, an option only supported under constrained delegation. 

 

I’ve been able to get an ASP script to work with constrained delegation.  In Active Directory we set delegation for the IIS machine to “Trust this computer for delegation to specified services only” and select the option “Use any application protocol”.  We then specify the SPN for MSSQLServer. 

 

However, with the same settings in AD, PHP returns the error “Login failed for user ‘(null)’.  Reason:  Not associated with a trusted SQL Server connection.”.  This is an ODBC connection.

 

Because normal, non-constrained, delegation works with PHP, it seems possible to get constrained delegation to work, but I’ve had no luck yet.  I’ve tried the php isapi extension which had problems with our applications.  FastCGI did not impersonate the user at all

 

I’ve exhausted searching the internet and php groups for answers.  I even opened a ticket with Microsoft, but their support ended with ASP.  Any ideas?  Is this possible?

 

Thanks, Kevin