Discussion:
[Wikitech-l] Windows Single Sign-On Extension
François St-Arnaud
2016-02-09 17:20:59 UTC
Permalink
Hello,

To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain, the best MediaWiki extension I could find was NTLMActiveDirectory.
https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory

However, I had two peeves with this extension:
1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
2) Its use of LDAP; feels too much like a wart on Windows!

See, I'm sitting on an IIS box on a Windows domain with Integrated Windows Authentication enabled. By the time the MW extension gets hit, IIS has already authenticated the user, so why not just leverage that instead?

I therefore used NTLMActiveDirectory as a starting point, but threw out all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted handler to get the AD group membership for the already authenticated user. Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration required for authorization.

Personally, I find this solution much simpler and intuitive for AD integration when hosting MW on a Windows/IIS box.

Does this make sense to others in the community?
Do others feel there was a need for a better AD integration extension?
Would others in the community benefit from such an extension?

If so, I would be happy to share my work, following instructions found here:
https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment

Regards,

François
Ryan Lane
2016-02-09 19:43:22 UTC
Permalink
The best option here is:
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication

I'm not sure why you think LDAP is a wart on Windows. Active Directory is
just LDAP with Kerberos.

Anyway, the LDAP Authentication extension has examples of how to do
auto-auth using kerberos. You still need LDAP for things like group
membership, username conversion, and other integrations.

- Ryan
Post by François St-Arnaud
Hello,
To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain,
the best MediaWiki extension I could find was NTLMActiveDirectory.
https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
2) Its use of LDAP; feels too much like a wart on Windows!
See, I'm sitting on an IIS box on a Windows domain with Integrated Windows
Authentication enabled. By the time the MW extension gets hit, IIS has
already authenticated the user, so why not just leverage that instead?
I therefore used NTLMActiveDirectory as a starting point, but threw out
all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted
handler to get the AD group membership for the already authenticated user.
Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration
required for authorization.
Personally, I find this solution much simpler and intuitive for AD
integration when hosting MW on a Windows/IIS box.
Does this make sense to others in the community?
Do others feel there was a need for a better AD integration extension?
Would others in the community benefit from such an extension?
https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
Regards,
François
_______________________________________________
Wikitech-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
François St-Arnaud
2016-02-09 22:35:15 UTC
Permalink
Thanks, I'll take a closer look at your extension.

Well, although I understand that using LDAP against AD is supposed to work mostly seamlessly, I've had troubles trying to use it in our client's domain, mostly due to GPOs and other security constraints. For one thing, LDAP, even TLS-secured, is not authorized for authentication in the domain. Also, LDAP starts to feel like a wart -- or an overkill -- when I have to require and configure a PHP LDAP client on the Web server and send LDAP requests when I know that the web server I'm sitting on, IIS, has already authentified the user via Negotiate/Kerberos and already knows the user's AD group membership and other such information.

Hence, I feel that the approach of a simple loopback call from the extension back to a .NET ASHX web handler -- which is readily available via an API in that environment -- is more elegant. For example, to get the AD group membership of the currently logged-in user (some lines removed for clarity):

In PHP, using curl:

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'roles.ashx');
$result = curl_exec($curl);
$wgAuth->userADGroups = Array($result);

In C#, in a roles.ashx file deployed with the extension on the IIS server:

public void ProcessRequest (HttpContext context) {
context.Response.ContentType = @"text\json";
context.Response.Write("[");
int i = 0;
int count = Roles.GetRolesForUser().Length;
foreach (var role in Roles.GetRolesForUser())
{
context.Response.Write('"' + role + '"');
if (++i != count) context.Response.Write(',');
}
context.Response.Write(']');
context.Response.End();
}

- François

-----Original Message-----
From: Wikitech-l [mailto:wikitech-l-***@lists.wikimedia.org] On Behalf Of Ryan Lane
Sent: Tuesday, February 09, 2016 14:43
To: Wikimedia developers <wikitech-***@lists.wikimedia.org>
Subject: Re: [Wikitech-l] Windows Single Sign-On Extension

The best option here is:
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication

I'm not sure why you think LDAP is a wart on Windows. Active Directory is just LDAP with Kerberos.

Anyway, the LDAP Authentication extension has examples of how to do auto-auth using kerberos. You still need LDAP for things like group membership, username conversion, and other integrations.

- Ryan
Post by François St-Arnaud
Hello,
To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows
Domain, the best MediaWiki extension I could find was NTLMActiveDirectory.
https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
2) Its use of LDAP; feels too much like a wart on Windows!
See, I'm sitting on an IIS box on a Windows domain with Integrated
Windows Authentication enabled. By the time the MW extension gets hit,
IIS has already authenticated the user, so why not just leverage that instead?
I therefore used NTLMActiveDirectory as a starting point, but threw
out all the LDAP stuff and replaced it with a simple Web call to an
IIS-hosted handler to get the AD group membership for the already authenticated user.
Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration
required for authorization.
Personally, I find this solution much simpler and intuitive for AD
integration when hosting MW on a Windows/IIS box.
Does this make sense to others in the community?
Do others feel there was a need for a better AD integration extension?
Would others in the community benefit from such an extension?
https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
Regards,
François
_______________________________________________
Wikitech-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-***@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Ryan Lane
2016-02-09 22:40:47 UTC
Permalink
If this is what you'll need, you're going to need to write a custom
extension. None of the existing auth extensions do this.
Post by François St-Arnaud
Thanks, I'll take a closer look at your extension.
Well, although I understand that using LDAP against AD is supposed to work
mostly seamlessly, I've had troubles trying to use it in our client's
domain, mostly due to GPOs and other security constraints. For one thing,
LDAP, even TLS-secured, is not authorized for authentication in the domain.
Also, LDAP starts to feel like a wart -- or an overkill -- when I have to
require and configure a PHP LDAP client on the Web server and send LDAP
requests when I know that the web server I'm sitting on, IIS, has already
authentified the user via Negotiate/Kerberos and already knows the user's
AD group membership and other such information.
Hence, I feel that the approach of a simple loopback call from the
extension back to a .NET ASHX web handler -- which is readily available via
an API in that environment -- is more elegant. For example, to get the AD
group membership of the currently logged-in user (some lines removed for
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'roles.ashx');
$result = curl_exec($curl);
$wgAuth->userADGroups = Array($result);
public void ProcessRequest (HttpContext context) {
context.Response.Write("[");
int i = 0;
int count = Roles.GetRolesForUser().Length;
foreach (var role in Roles.GetRolesForUser())
{
context.Response.Write('"' + role + '"');
if (++i != count) context.Response.Write(',');
}
context.Response.Write(']');
context.Response.End();
}
- François
-----Original Message-----
Sent: Tuesday, February 09, 2016 14:43
Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
I'm not sure why you think LDAP is a wart on Windows. Active Directory is
just LDAP with Kerberos.
Anyway, the LDAP Authentication extension has examples of how to do
auto-auth using kerberos. You still need LDAP for things like group
membership, username conversion, and other integrations.
- Ryan
On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud <
Post by François St-Arnaud
Hello,
To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows
Domain, the best MediaWiki extension I could find was
NTLMActiveDirectory.
Post by François St-Arnaud
https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
2) Its use of LDAP; feels too much like a wart on Windows!
See, I'm sitting on an IIS box on a Windows domain with Integrated
Windows Authentication enabled. By the time the MW extension gets hit,
IIS has already authenticated the user, so why not just leverage that
instead?
Post by François St-Arnaud
I therefore used NTLMActiveDirectory as a starting point, but threw
out all the LDAP stuff and replaced it with a simple Web call to an
IIS-hosted handler to get the AD group membership for the already
authenticated user.
Post by François St-Arnaud
Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration
required for authorization.
Personally, I find this solution much simpler and intuitive for AD
integration when hosting MW on a Windows/IIS box.
Does this make sense to others in the community?
Do others feel there was a need for a better AD integration extension?
Would others in the community benefit from such an extension?
https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
Regards,
François
_______________________________________________
Wikitech-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
François St-Arnaud
2016-02-10 02:06:47 UTC
Permalink
Right. As mentioned in my first post, I already have created a custom extension using this approach and NTLMActiveDirectory as a starting point.
Now, I wonder if it is worth sharing with the community, if others would benefit from an LDAP-less SSO solution for MW hosted on IIS?

-----Original Message-----
From: Wikitech-l [mailto:wikitech-l-***@lists.wikimedia.org] On Behalf Of Ryan Lane
Sent: Tuesday, February 09, 2016 17:41
To: Wikimedia developers <wikitech-***@lists.wikimedia.org>
Subject: Re: [Wikitech-l] Windows Single Sign-On Extension

If this is what you'll need, you're going to need to write a custom extension. None of the existing auth extensions do this.
Post by François St-Arnaud
Thanks, I'll take a closer look at your extension.
Well, although I understand that using LDAP against AD is supposed to
work mostly seamlessly, I've had troubles trying to use it in our
client's domain, mostly due to GPOs and other security constraints.
For one thing, LDAP, even TLS-secured, is not authorized for authentication in the domain.
Also, LDAP starts to feel like a wart -- or an overkill -- when I have
to require and configure a PHP LDAP client on the Web server and send
LDAP requests when I know that the web server I'm sitting on, IIS, has
already authentified the user via Negotiate/Kerberos and already knows
the user's AD group membership and other such information.
Hence, I feel that the approach of a simple loopback call from the
extension back to a .NET ASHX web handler -- which is readily
available via an API in that environment -- is more elegant. For
example, to get the AD group membership of the currently logged-in
user (some lines removed for
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'roles.ashx'); $result =
curl_exec($curl); $wgAuth->userADGroups = Array($result);
public void ProcessRequest (HttpContext context) {
context.Response.Write("[");
int i = 0;
int count = Roles.GetRolesForUser().Length;
foreach (var role in Roles.GetRolesForUser())
{
context.Response.Write('"' + role + '"');
if (++i != count) context.Response.Write(',');
}
context.Response.Write(']');
context.Response.End();
}
- François
-----Original Message-----
Sent: Tuesday, February 09, 2016 14:43
Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
I'm not sure why you think LDAP is a wart on Windows. Active Directory
is just LDAP with Kerberos.
Anyway, the LDAP Authentication extension has examples of how to do
auto-auth using kerberos. You still need LDAP for things like group
membership, username conversion, and other integrations.
- Ryan
On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud <
Post by François St-Arnaud
Hello,
To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows
Domain, the best MediaWiki extension I could find was
NTLMActiveDirectory.
Post by François St-Arnaud
https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
2) Its use of LDAP; feels too much like a wart on Windows!
See, I'm sitting on an IIS box on a Windows domain with Integrated
Windows Authentication enabled. By the time the MW extension gets
hit, IIS has already authenticated the user, so why not just
leverage that
instead?
Post by François St-Arnaud
I therefore used NTLMActiveDirectory as a starting point, but threw
out all the LDAP stuff and replaced it with a simple Web call to an
IIS-hosted handler to get the AD group membership for the already
authenticated user.
Post by François St-Arnaud
Of NTLMActiveDirectory, I kept the AD / MW group mapping
configuration required for authorization.
Personally, I find this solution much simpler and intuitive for AD
integration when hosting MW on a Windows/IIS box.
Does this make sense to others in the community?
Do others feel there was a need for a better AD integration extension?
Would others in the community benefit from such an extension?
If so, I would be happy to share my work, following instructions
found
https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
Regards,
François
_______________________________________________
Wikitech-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-***@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Ryan Lane
2016-02-10 02:08:38 UTC
Permalink
Never hurts :)
Post by François St-Arnaud
Right. As mentioned in my first post, I already have created a custom
extension using this approach and NTLMActiveDirectory as a starting point.
Now, I wonder if it is worth sharing with the community, if others would
benefit from an LDAP-less SSO solution for MW hosted on IIS?
-----Original Message-----
Sent: Tuesday, February 09, 2016 17:41
Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
If this is what you'll need, you're going to need to write a custom
extension. None of the existing auth extensions do this.
On Tue, Feb 9, 2016 at 2:35 PM, François St-Arnaud <
Post by François St-Arnaud
Thanks, I'll take a closer look at your extension.
Well, although I understand that using LDAP against AD is supposed to
work mostly seamlessly, I've had troubles trying to use it in our
client's domain, mostly due to GPOs and other security constraints.
For one thing, LDAP, even TLS-secured, is not authorized for
authentication in the domain.
Post by François St-Arnaud
Also, LDAP starts to feel like a wart -- or an overkill -- when I have
to require and configure a PHP LDAP client on the Web server and send
LDAP requests when I know that the web server I'm sitting on, IIS, has
already authentified the user via Negotiate/Kerberos and already knows
the user's AD group membership and other such information.
Hence, I feel that the approach of a simple loopback call from the
extension back to a .NET ASHX web handler -- which is readily
available via an API in that environment -- is more elegant. For
example, to get the AD group membership of the currently logged-in
user (some lines removed for
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'roles.ashx'); $result =
curl_exec($curl); $wgAuth->userADGroups = Array($result);
In C#, in a roles.ashx file deployed with the extension on the IIS
public void ProcessRequest (HttpContext context) {
context.Response.Write("[");
int i = 0;
int count = Roles.GetRolesForUser().Length;
foreach (var role in Roles.GetRolesForUser())
{
context.Response.Write('"' + role + '"');
if (++i != count) context.Response.Write(',');
}
context.Response.Write(']');
context.Response.End();
}
- François
-----Original Message-----
Sent: Tuesday, February 09, 2016 14:43
Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
I'm not sure why you think LDAP is a wart on Windows. Active Directory
is just LDAP with Kerberos.
Anyway, the LDAP Authentication extension has examples of how to do
auto-auth using kerberos. You still need LDAP for things like group
membership, username conversion, and other integrations.
- Ryan
On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud <
Post by François St-Arnaud
Hello,
To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows
Domain, the best MediaWiki extension I could find was
NTLMActiveDirectory.
Post by François St-Arnaud
https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
2) Its use of LDAP; feels too much like a wart on Windows!
See, I'm sitting on an IIS box on a Windows domain with Integrated
Windows Authentication enabled. By the time the MW extension gets
hit, IIS has already authenticated the user, so why not just
leverage that
instead?
Post by François St-Arnaud
I therefore used NTLMActiveDirectory as a starting point, but threw
out all the LDAP stuff and replaced it with a simple Web call to an
IIS-hosted handler to get the AD group membership for the already
authenticated user.
Post by François St-Arnaud
Of NTLMActiveDirectory, I kept the AD / MW group mapping
configuration required for authorization.
Personally, I find this solution much simpler and intuitive for AD
integration when hosting MW on a Windows/IIS box.
Does this make sense to others in the community?
Do others feel there was a need for a better AD integration extension?
Would others in the community benefit from such an extension?
If so, I would be happy to share my work, following instructions
found
https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
Regards,
François
_______________________________________________
Wikitech-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Gergo Tisza
2016-02-10 17:19:09 UTC
Permalink
Post by François St-Arnaud
Right. As mentioned in my first post, I already have created a custom
extension using this approach and NTLMActiveDirectory as a starting point.
Now, I wonder if it is worth sharing with the community, if others would
benefit from an LDAP-less SSO solution for MW hosted on IIS?
Note that the way authentication extensions need to be written is just
about to change:
https://www.mediawiki.org/wiki/User:Anomie/SessionManager_and_AuthManager
François St-Arnaud
2016-02-10 21:11:07 UTC
Permalink
Thanks Gergo, timely information! When is this new authentication mechanism slated to make it to the baseline? Is it planned / on track for 1.27? Will (have) existing extensions be (been) adapted? Where can I see examples of adapted extensions (link to a branch in Phabricator, perhaps)?

-----Original Message-----
From: Wikitech-l [mailto:wikitech-l-***@lists.wikimedia.org] On Behalf Of Gergo Tisza
Sent: Wednesday, February 10, 2016 12:19
To: Wikimedia developers <wikitech-***@lists.wikimedia.org>
Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
Post by François St-Arnaud
Right. As mentioned in my first post, I already have created a custom
extension using this approach and NTLMActiveDirectory as a starting point.
Now, I wonder if it is worth sharing with the community, if others
would benefit from an LDAP-less SSO solution for MW hosted on IIS?
Note that the way authentication extensions need to be written is just about to change:
https://www.mediawiki.org/wiki/User:Anomie/SessionManager_and_AuthManager
_______________________________________________
Wikitech-l mailing list
Wikitech-***@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Gergo Tisza
2016-02-15 03:50:17 UTC
Permalink
Post by François St-Arnaud
When is this new authentication mechanism slated to make it to the
baseline? Is it planned / on track for 1.27?
It's planned to happen before 1.27. Probably not long before, though.
Post by François St-Arnaud
Will (have) existing extensions be (been) adapted?
We plan to update all extensions that are deployed on the Wikimedia cluster
( https://phabricator.wikimedia.org/T110282 ), but not other affected
extensions ( https://phabricator.wikimedia.org/T110291 ).
Post by François St-Arnaud
Where can I see examples of adapted extensions (link to a branch in
Phabricator, perhaps)?
https://gerrit.wikimedia.org/r/#/c/251930/ is probably the one that's
interesting to you.

Continue reading on narkive:
Loading...