I have a very odd issue where we have an IIS web server with integrated authentication turned on and PHP installed, and if 2 users hit the server within 20 seconds of each other, sometimes the 2nd user gets logged in as the first user.
I should point out that we pickup the authenticated user using the the $_SERVER['PHP_AUTH_USER'] variable.
I've checked the security audit on the machine running IIS, and I can see that the 2 users hit the logs, and the first user generates 2 logs, but the 2nd user only generates one log.
This is the security audit of the 1st user, and both events for this user are exactly the same.
I have blanked out the TargetUserSid and modified the values of the TargetUserName, TargetDomain and WorkstationName, but everything else is as it was.
- EventData SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-29737
TargetUserName user1
TargetDomainName MYDOMAIN
TargetLogonId 0x16e5e071
LogonType 3
LogonProcessName NtLmSsp
AuthenticationPackageName NTLM
WorkstationName Machine1
LogonGuid {00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName NTLM V2
KeyLength 0
ProcessId 0x0
ProcessName -
IpAddress -
IpPort -
ImpersonationLevel %%1833
Then for the 2nd user, which was only 20 seconds later:
- EventData SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-3185
TargetUserName user2
TargetDomainName MYDOMAIN
TargetLogonId 0x16e5ea77
LogonType 3
LogonProcessName NtLmSsp
AuthenticationPackageName NTLM
WorkstationName Machine2
LogonGuid {00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName NTLM V2
KeyLength 128
ProcessId 0x0
ProcessName -
IpAddress -
IpPort -
ImpersonationLevel %%1833
The only difference I can see is the 2nd user only has 1 log, instead of 2 and the log for the 2nd user has a KeyLength specified, when the 1st user doesn't.
I've checked all the other events and every user generates 2 events at the exact same time and have keylengths of 0, so i think this is what might be causing it, but does anyone have any idea why ??