This question about Configuration, Upgrading from TWiki to Foswiki, Authentication or Authorisation, LDAP: Answered
Proven Integration into MS Active Directory Kerberos Auth environment
Also relates to:
Upgrading from TWiki
I realize MS isn't as big a player in Europe, but… do any of you guys have serious on-the-ground proven experience integrating FW into a Microsoft Active Directory environment? The client wanted integration with their existing backend applications, hoping to replace MS Sharepoint with TWiki. Single Sign-on was the sticking point. It took 5 months and didn't quite work.
Contract started in November. I came onboard in mid-March. AD integration was almost finished. SSO not begun.
We (they) know about LdapContrib
. They had that configured and working in March. What they didn't have until mid-April was SSO. Users needed to authenticate twice, once for Intranet, again for TWiki. The client wants seamless.
SSO (Kerberos) was turned on two weeks ago and it didn't go well...
When SSO/Kerberos was turned on (in Apache?), it tossed me (and my *nix/Mac environment) out of the mix. I could log into the client Intranet through VPN, but got "unauthorized" errors trying to access the wiki. The only way I could reach it was from IE on an internal Windows VM. In theory, I should have been able to configure Mac OS X for Kerberos (support is built in) but I didn't know how and I didn't get that far.
Apparently, it was difficult to set TWiki up to fail back to Wiki template login. There was also no way to log out of the wiki. No way to view as Guest. No way to log in as another user.
That (and a few other things) gave the client the heebie jeebies. The client had a bunch of internal meetings early this week and ended the contract.
"There are several factors which weigh in, but my primary concerns deal with future supportability, its integration with AD and any other potential connections we envision to other services. There are just too many unknowns at this time. "
If I could point the client to someone who has done this successfully
-- upgraded a Win-backed client from SharePoint
to FW -- that would be potentially good for both of us.
"I need to read the docs and do a bunch of research because this is hard" is not what they ever want to hear again.
It's not Enterprise-ready if you can't just plug it into an Enterprise setup.
- 03 May 2017
I can't talk much for TWiki anymore and what best practices there are for it to integrate into a MS Active Directory kerberos.
Foswiki, however, does just fine.
99.9% of all installs of Foswiki in corporate intranets are facing a Microsoft Active Directory environment. In other words: this is a fixed setting, including kerberos-based single sign on.
Please read Extensions.LdapContrib#Single_Sign_On_and_LdapContrib
. It comes with a
manager that does indeed fall back to template login in case the browser isn't offering a ticket to the system. This implementation doesn't require Apache anymore either. It does just fine with Nginx as well, as
depend on the HTTP server to do the kerberos handshake anymore. Foswiki's LdapContrib
does this on its own, and thus is able to fall back to a template login in a natural way.
has made SSO a lot easier to set up. The only task that needs more care is integrating the Foswiki server itself into the domain, as well as extracting a proper keytab from AD.
This set-up is used reliably in multiple production environments.
- 04 May 2017
I'm not particularly thinking of TWiki at this point. I want to give the former (potential future) client some hope.
- 05 May 2017