Automatic Logon to Mediawiki Using IIS
Here's what I'm working with:
Windows Server 2008 R2 (AD environment)
IIS 7.5
OpenLDAP (for the CA certificate handling)
Mediawiki 1.17
PHP 5.3.8
MySQL 5.1.50
LDAPAuthentication v.1.2h
Everything is working fine, except I'm unable to figure out how to go about having domain users automatically authenticate to Mediawiki using my current setup. Is there anything special that I should do when using IIS, since all documentation I've seen heavily favors Apache? Thanks.
-Chris
Nevermind. I seem to have gotten auto-authentication working with IIS. If anyone is interested, I'll post what I did later.
Sounds like a great idea for my intranet... Would you post it please?
Here's what I did to get my setup working...
[edit] LocalSettings.php file
##LDAP Authentication Plugin require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" ); require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgLDAPDomainNames = array("DOMAIN"); $wgLDAPGroupBaseDNs = array("DOMAIN"=>"ou=groups,dc=domain,dc=org"); $wgLDAPAutoAuthDomain = "DOMAIN"; $wgLDAPGroupUseFullDN = array( "DOMAIN"=>true ); $wgLDAPServerNames = array("DOMAIN"=>"vw2k8-adfsmo2.domain.org"); $wgLDAPSearchStrings = array( "DOMAIN" => "DOMAIN\USER-NAME" ); $wgLDAPSearchAttributes = array("DOMAIN"=>"sAMAccountName"); $wgLDAPBaseDNs = array("DOMAIN"=>"dc=domain,dc=org"); $wgLDAPEncryptionType = array( "DOMAIN" => "ssl" ); $wgMinimalPasswordLength = 1; #Configure LDAP Group settings $wgLDAPUseLDAPGroups = array( "DOMAIN"=>true ); $wgLDAPGroupObjectclass = array( "DOMAIN"=>"group" ); $wgLDAPGroupAttribute = array( "DOMAIN"=>"member" ); $wgLDAPGroupNameAttribute = array( "DOMAIN"=>"cn" ); #Restrict anonymous users $wgGroupPermissions['*' ]['createaccount'] = false; $wgGroupPermissions['*' ]['read'] = false; $wgGroupPermissions['*' ]['edit'] = false; #Remove the domain portion of the displayed username. Example: "DOMAIN\username" to "username" list($dom,$userid) = split('[\]',$_SERVER['REMOTE_USER']); $wgLDAPAutoAuthUsername = $userid; AutoAuthSetup();
Note: Absent from the config are $wgLDAPProxyAgent and $wgLDAPProxyAgentPassword. You will probably need these. I didn't for some reason, so I omitted them.
[edit] Forcing Kerberos Authentication on IIS
Helpful link: http://technet.microsoft.com/en-us/library/cc754628(WS.10).aspx
Important Quote from TechNet: The default setting for Windows authentication is Negotiate. This setting means that the client can select the appropriate security support provider. To force NTLM authentication, you must change the value of the <Provider> element under the <windowsAuthentication> element in the ApplicationHost.config file.
I changed my ApplicationHost.config file to look like this:
<windowsAuthentication enabled="false">
<providers>
<add value="NTLM" />
<!-- <add value="Negotiate" /> -->
</providers>
</windowsAuthentication>
[edit] Configuring OpenLDAP client
Read the following link for requesting an SSL certificate for IIS: http://support.microsoft.com/kb/299875
Helpful link: http://www.ashleyknowles.net/2011/07/iis-php-and-ldaps-with-active-directory/
C:\OpenLDAP\sysconf\ldap.conf
#ldap.conf contains the following TLS_REQCERT never TLS_CACERT C:\openldap\sysconf\webcert.crt
Okay. That's all I can think of at the moment. If I feel I missed anything, I'll update this post.
