cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
This question about Configuration, Upgrading from TWiki to Foswiki, Authentication or Authorisation, LDAP: Answered

Proven Integration into MS Active Directory Kerberos Auth environment

Also relates to: Installation, Upgrading from TWiki, Configuration

I realize MS isn't as big a player in Europe, but… do any of you guys have serious on-the-ground proven experience integrating FW into a Microsoft Active Directory environment? The client wanted integration with their existing backend applications, hoping to replace MS Sharepoint with TWiki. Single Sign-on was the sticking point. It took 5 months and didn't quite work.

Contract started in November. I came onboard in mid-March. AD integration was almost finished. SSO not begun.

We (they) know about LdapContrib and LdapNgPlugin. They had that configured and working in March. What they didn't have until mid-April was SSO. Users needed to authenticate twice, once for Intranet, again for TWiki. The client wants seamless.

SSO (Kerberos) was turned on two weeks ago and it didn't go well...

When SSO/Kerberos was turned on (in Apache?), it tossed me (and my *nix/Mac environment) out of the mix. I could log into the client Intranet through VPN, but got "unauthorized" errors trying to access the wiki. The only way I could reach it was from IE on an internal Windows VM. In theory, I should have been able to configure Mac OS X for Kerberos (support is built in) but I didn't know how and I didn't get that far.

Apparently, it was difficult to set TWiki up to fail back to Wiki template login. There was also no way to log out of the wiki. No way to view as Guest. No way to log in as another user. That (and a few other things) gave the client the heebie jeebies. The client had a bunch of internal meetings early this week and ended the contract.

"There are several factors which weigh in, but my primary concerns deal with future supportability, its integration with AD and any other potential connections we envision to other services. There are just too many unknowns at this time. "

If I could point the client to someone who has done this successfully -- upgraded a Win-backed client from SharePoint to FW -- that would be potentially good for both of us.

"I need to read the docs and do a bunch of research because this is hard" is not what they ever want to hear again.

It's not Enterprise-ready if you can't just plug it into an Enterprise setup. frown, sad smile

- V.

-- Main.VickiBrown - 03 May 2017

I can't talk much for TWiki anymore and what best practices there are for it to integrate into a MS Active Directory kerberos.

Foswiki, however, does just fine.

99.9% of all installs of Foswiki in corporate intranets are facing a Microsoft Active Directory environment. In other words: this is a fixed setting, including kerberos-based single sign on.

Please read Extensions.LdapContrib#Single_Sign_On_and_LdapContrib. It comes with a KerberosLogin manager that does indeed fall back to template login in case the browser isn't offering a ticket to the system. This implementation doesn't require Apache anymore either. It does just fine with Nginx as well, as KerberosLogin does not depend on the HTTP server to do the kerberos handshake anymore. Foswiki's LdapContrib does this on its own, and thus is able to fall back to a template login in a natural way.

LdapContrib's KerberosLogin has made SSO a lot easier to set up. The only task that needs more care is integrating the Foswiki server itself into the domain, as well as extracting a proper keytab from AD.

This set-up is used reliably in multiple production environments.

-- MichaelDaum - 04 May 2017

I'm not particularly thinking of TWiki at this point. I want to give the former (potential future) client some hope.

-- VickiBrown - 05 May 2017
 

QuestionForm edit

Subject Configuration, Upgrading from TWiki to Foswiki, Authentication or Authorisation, LDAP
Extension LdapContrib
Version
Status Answered
Related Topics
Topic revision: r4 - 05 May 2017, VickiBrown - This page was cached on 23 Mar 2018 - 02:56.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License