I would like to establish a connection to the Microsoft Exchange Web Service (EWS) using PHP and CURL. The authentication method should be negotiate. Using NTLM is not desirable for security reasons, so you have to switch to Kerberos.
I use as System: Windows OS with Apache 2.4.55 PHP 7.4.33 CURL has the following features: Features AsynchDNS Yes CharConv No Debug No GSS Negotiate No IDN Yes IPv6 Yes krb4 No Large file Yes libz Yes NTLM Yes NTLMWB No SPNEGO Yes SSL Yes SSPI Yes TLS SRP No HTTP2 Yes GSSAPI No KERBEROS5 Yes UNIX_SOCKETS Yes PSL No HTTPS_PROXY Yes MULTI_SSL No BROTLI No
We use: Exchange Server 2016 with extended protection: https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-extended-protection?view=exchserver-2019
On the exchange server I created the http.keytab using ktpass, then integrated it into PHP and CURL.
I tried to establish the connection with the following PHP code:
$url = 'https://192.168.1.2/EWS/Exchange.asmx';
$keytabPath = 'c:\kerberos\http.keytab';
$servicePrincipal = "[email protected]";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Authorization: Negotiate"]);
curl_setopt($ch, CURLOPT_SERVICE_NAME, $servicePrincipal);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_NEGOTIATE);
curl_setopt($ch, CURLOPT_KEYPASSWD, file_get_contents($keytabPath));
curl_setopt($ch, CURLOPT_KEYTAB, $keytabPath);
curl_setopt($ch, CURLOPT_USERPWD, "EXCH2016ASA:");
$response = curl_exec($ch);
The result is always an http 400 error (HTTP Error 400. The request has an invalid header name). How exactly do I have to set the CURL OPT settings in conjunction with CURLAUTH_NEGOTIATE?
Thanks