SQL Server Driver for PHP: Understanding Windows Authentication

In my last post, I provided an overview of using the SQL Server Driver for PHP. One of the driver features I didn’t mention in that post is the support for Integrated Windows Authentication when connecting to a server. So, that’s what I’ll take a closer look at in this post.


I must confess that when I first tried using Windows authentication with the driver, I was puzzled. I was logged in to my computer as Microsoft\brian.swan, and I know that is a valid login for my database server. But every time I tried to connect, I got this error:


Login failed for user 'NT AUTHORITY\IUSR'


Where did the NT AUTHORITY\IUSER identity come from, and why was it being used to connect to my server? Why wasn’t my identity used in the connection attempt? I had some digging to do.


The syntax for using Windows Authentication with the driver was easy: omit the UID and PWD entries in the $connectionOptions array when you establish a connection:


$serverName = “(local)”;

$connectionOptions = array(“Database” => “TestDB”);

// Because UID and PWD are not specified in the connection options,

// the connection is made with Windows Authentication.

$conn = sqlsrv_connect($serverName, $connectionOptions);


But understanding what identity was being used in the connection attempt was confusing. What helped clear up my confusion was learning this: The identity that is used to connect to the server will always be the identity of the process in which PHP is running. That may be a bit oversimplified (impersonation allows the process to temporarily use a different identity), but understanding this allowed me to move forward. After some more digging and some experimentation, I found I needed to answer two questions to know what identity would be used in the connection attempt:


1)      What was the authentication mode for IIS? (Anonymous authentication? Windows authentication? Both?)

2)      Was impersonation for the FastCGI module on or off? (i.e. Was the  fastcgi.impersonate setting in my php.ini file set to 0 or 1?)


Here’s what I found:


A.      IIS Anonymous Authentication enabled and fastcgi.impersonate = 1: Because I was connecting to IIS anonymously, the built-in anonymous account (which is NT AUTHORITY\IUSER by default in IIS 7.0+) was impersonated. So, my connection attempt failed because this identity does not map to a valid login on my server.


B.      IIS Anonymous Authentication enabled and fastcgi.impersonate = 0: Because impersonation was off, my identity was not used as the identity of the PHP process. Instead, the actual identity of the PHP process was used in the connection attempt. In IIS 7.5, the identity of the PHP process depends on the identity of the application pool it is running in. In this case, PHP was in the default application pool and the identity used in the connection attempt was IIS APPPOOL\DefaultAppPool (so my connection attempt failed). This article provides more information about different versions of IIS and the identity of applications: Who is my IIS Application Process Identity?


C.      IIS Windows Authentication enabled and fastcgi.impersonate = 1: With Windows authentication enabled (and Anonymous Authentication disabled), I connected to IIS with the identity that my Web browser was running under (Microsoft\brian.swan, the identity I logged in with). And, with impersonation on, the PHP process ran under the Microsoft\brian.swan identity. So, since that identity mapped to a valid login on my server, my connection attempt succeeded.


D.      IIS Windows Authentication enabled and fastcgi.impersonate = 0: The results here were the same as with Anonymous authentication enabled and fastcgi.impersonate = 0 (the connection attempt failed). The only difference occurred when I requested the page from the Web server: a pop-up window asked for my identity when I requested the page.


E.       Both Anonymous and Windows Authentication enabled: Web browsers will try to access a Web server by using anonymous authentication first. So, if both Anonymous and Windows Authentication are both enabled, the results will be the same as those above where Anonymous Authentication is enabled (A and B). For more background on this, see How IIS authenticates Web browser clients


You can play with these settings and identities yourself:


·         To turn impersonation on or off, set fastcgi.impersonate = 1 (on) or fastcgi.impersonate = 0 (off) in your php.ini file and restart your Web server.


A note about impersonation: My Web server and database server are on the same physical machine. If your client, Web server, and database server are all on different machines, the client identity may not be passed to the database server even when impersonation is on. This article has more information: IIS, Windows Authentication, and the Double Hop Issue.


·         Configure Windows Authentication (IIS 7)

·         Specify an Identity for an Application Pool (IIS 7)

·         Change an Application Pool for an Application (IIS 7)

·         Create an Application Pool (IIS 7)


Now that you know how to use Windows Authentication with the SQL Server Driver for PHP, you need to be careful. Make sure that the identity that is used to connect to the database server has only the permissions that you want it to. This article provides an overview of SQL Server security: Securing SQL Server.


I hope this helps you avoid some of the confusion I ran into with Windows Authentication and the SQL Server Driver for PHP.




Share this on Twitter

Comments (19)

  1. Vamsi says:

    Thanks Brian!

    I am struggling with this problem on my dev machine for weeks.

  2. Glad this helped…let me know if you run into more questions.


  3. Kunal says:


    I was very upset due to this error !

    You made my day 🙂

  4. Once again…glad this post helped. 🙂

  5. Mark says:

    Hi Brian, I wonder if you can help or point me in the right direction? I was using mssql_connect, but have upgraded php to 5.3.5 and so am now using sqlsrv_connect. I have seperate IIS and SQL servers.

    I am using sql server authentication so have assumed that the double hop issue should not be an issue and our UID and PWD should be passed all the way through however the following is not connecting to my SQL server.

    $server = "SERVERINSTANCE";

    $connectionInfo = array("Database"=>"dbname", "UID" => "user", "PWD" => "password");

    $con = sqlsrv_connect($server,$connectionInfo);

    Do you haVE any idea what I need to do to make this work? Any pointers, hints or tips you can share however big or small would be very, very much appreciated. Many thanks

  6. Mark Jackson says:

    Please ignore my previous questions and even remove it if you can. I realise a forum is a better place to post this comment so I have posted this in the SQL server driver for PHP forum.

  7. Luis says:


    just thinking perhaps is not enough time to update this post ? what's your recommendation in today approach to double step situation ?


  8. Luis-

    The easiest way to deal with double-hop authentication is to use SQL Authentication (user/password). Is that not an option for you?


  9. A great post for a sometimes confusing subject. says:

    Good work explaining things and linking to other resources.

  10. techuser says:

    This article references IIS. Can Windows Authentication to remote SQL Server  be accomplished with Apache 2.2, PHP 5.3.8?

  11. @techuser: I haven't tried using Windows Authentication with Apache in the mix. This article, however, looks like it would be a good start in figuring out what needs to be done: moinmo.in/…/WindowsDomainAuthentication


  12. Paul Lynch says:

    I have experimented with this and I have successfully been able to configure PHP with IIS 7.5/FastCGI and pass user credentials to a remote SQL datasource using Kerberos constrained delegation.

  13. Oliver says:

    I know that you posted this over 3 years ago… but if I was in close physical proximity to you, I would give you a huge high five and a beer. I usually work on a LAMP stack, but have been tasked with an intranet site at work hosted on IIS. I have been struggling with this the entire day. I just needed to change my php.ini setting. Cheers!

  14. Glad to know this is still helpful. I'll take you up on the beer. 🙂

  15. Angel says:

    Hi Brian,

    Very useful post but we have am scenario I don't know how to apply these settings.

    We want to run a php application and we need to access to a local sql server. We want to use the integrated security to allow the access to the application avoiding to use login page and we want akso to make use of the username pass in some functions to retrieve/insert data but we want to use a a single custom user to access the database. It's possible? How can we configure the sql connections and the application pool?

    Thans a lot!

  16. Basil Bear says:

    Hi Brian

    thank you for making this issue so understandable in your excellent article.

    Can you please devote all your spare time to rewriting every other confusing "explanation" on the web. 🙂


    Basil Bear

  17. Behrang Assemi says:

    Great! It was very helpful! Thank you!

  18. Michael says:

    Im using A, and am actually having my identity being used to connect, succesfully, to SQL. I’m using chrome, from a seperate machine. App pool identity is no-privleges “restserver”

    Very weird.

    1. Michael says:

      you can delete this mate. I worked out I had a user set for “Physical Path Credentials”

      Very strange things happen.

Skip to main content