All you need is the mod_auth_sspiApache module.

您所需要的只是mod_auth_sspiApache 模块。

Sample configuration:

示例配置：

AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain mydomain

# Set this if you want to allow access with clients that do not support NTLM, or via proxy from outside. Don't forget to require SSL in this case!
SSPIOfferBasic On

# Set this if you have only one domain and don't want the MYDOMAIN\ prefix on each user name
SSPIOmitDomain On

# AD user names are case-insensitive, so use this for normalization if your application's user names are case-sensitive
SSPIUsernameCase Lower
AuthName "Some text to prompt for domain credentials"
Require valid-user

And don't forget that you can also use Firefox for transparent SSO in a Windows domain: Simply go to about:config, search for network.automatic-ntlm-auth.trusted-uris, and enter the host name or FQDN of your internal application (like myserver or myserver.corp.domain.com). You can have more than one entry, it's a comma-separated list.

并且不要忘记，您还可以在 Windows 域中使用 Firefox 进行透明 SSO：只需转到about:config，搜索network.automatic-ntlm-auth.trusted-uris并输入您的内部应用程序的主机名或 FQDN（如 myserver 或 myserver.corp.domain.com）。您可以有多个条目，它是一个以逗号分隔的列表。

I had a similar problem which I needed to solve for my organization.

我有一个类似的问题，我需要为我的组织解决这个问题。

I was looking into using adLDAP.

我正在考虑使用adLDAP。

There is some documentation on the site for achieving seamless authentication with Active Directory too.

站点上也有一些文档可用于实现与 Active Directory 的无缝身份验证。

I'd be curious about a solution that uses OpenID as a backend (of sorts) for this... I wasn't seeing anything that would hook into ActiveDirectory directly when I googled (quickly). However, it could be pretty painless to implement over plain HTTP(S) (you'd be an OpenID provider that checked credentials against your local AD). In a best case scenario, you might be able to just add a couple classes to your app and be off and running -- no web server modules required. There is a lot of open source code out there for either side of this, so if nothing else, it's worth taking a look. If you exposed the backend to the users (i.e. gave them OpenID URLs), you'd have the added benefit of them being able to log in to more than just your internal sites using these credentials. (Example: Stack Overflow.)

我很好奇使用 OpenID 作为后端（各种）的解决方案......当我（快速）搜索时，我没有看到任何可以直接连接到 ActiveDirectory 的东西。但是，通过纯 HTTP(S) 实现可能非常轻松（您将成为 OpenID 提供者，根据您的本地 AD 检查凭据）。在最好的情况下，您可能只需向您的应用程序添加几个类，然后就可以关闭并运行——不需要 Web 服务器模块。这方面有很多开源代码，所以如果没有别的，值得一看。如果您向用户公开后端（即给他们 OpenID URL），您将获得额外的好处，即他们能够使用这些凭据登录到更多的内部站点。（例如：堆栈溢出。）

As an aside, I'd be against making it so that Internet Explorer is required. I'm not sure if that is the goal from the way you wrote the question, but depending on your IT environment, I'd expect people who use Firefox or Safari (or Opera or ...) to be less than enthusiastic. (You're not developing against IE first, are you? That's been painful whenever I've done so.) This is not to say that you couldn't use this feature of IE, just that it shouldn't be the only option. The link you posted stated that NTLM worked with more than IE, but since I don't have any experience with it, it's hard to judge how well that would work.

顺便说一句，我反对这样做，因此需要 Internet Explorer。我不确定这是否是您编写问题的方式的目标，但根据您的 IT 环境，我希望使用 Firefox 或 Safari（或 Opera 或 ...）的人不那么热情。（您不是首先针对 IE 进行开发，是吗？每当我这样做时，这都很痛苦。）这并不是说您不能使用 IE 的此功能，只是它不应该是唯一的选择. 您发布的链接指出 NTLM 不仅适用于 IE，但由于我没有任何经验，因此很难判断它的效果如何。

One option for you is to use CAS (central authentication service).

您的一种选择是使用 CAS（中央身份验证服务）。

It has php client library.

它有php客户端库。

How-to link to MS Active Directory: http://www.ja-sig.org/wiki/display/CASUM/Active+Directory

如何链接到 MS Active Directory：http: //www.ja-sig.org/wiki/display/CASUM/Active+Directory

You would require Apache maven 2 though.

不过，您将需要 Apache maven 2。

For IIS/PHP FCGI, You need to send out an unauthorized header:

对于 IIS/PHP FCGI，您需要发送未经授权的标头：

function EnableAuthentication()
{
    $realm = "yoursite";
    header('WWW-Authenticate: Digest realm="'.$realm.'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
    header("HTTP/1.1 401 Unauthorized"); 
    exit;
}

You can then get at the username with:

然后，您可以通过以下方式获取用户名：

$winuser = $_SERVER["REMOTE_USER"];

I then make sure the $winuser is in my database of allowed users.

然后我确保 $winuser 在我的允许用户数据库中。

Be SURE and test this under a non-privileged account. When I first installed this I tested it and it worked fine, but later when a standard non-server-admin user tried it this failed. Turns out some of the temporary directories need to have permissions changed for guest users. I can't recall the exact settings.

请确保并在非特权帐户下进行测试。当我第一次安装它时，我测试了它并且它运行良好，但后来当标准的非服务器管理员用户尝试它时失败了。事实证明，一些临时目录需要为来宾用户更改权限。我不记得确切的设置。