DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

Mobile Database Essentials: Assess data needs, storage requirements, and more when leveraging databases for cloud and edge applications.

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • Easy Microdata in WordPress
  • Why PHP Is More Hated and Popular Than Ever Before
  • Deploy WordPress on AWS Using OpenEBS
  • Deploy WordPress on Kubernetes in 15 Minutes Using Helm

Trending

  • CI/CD Tools and Technologies: Unlock the Power of DevOps
  • Application Integration for IoT Devices: A Detailed Guide To Unifying Your Ecosystem
  • Supercharge Your Software Development Journey With DevOps, CI/CD, and Containers
  • Deploy Like a Pro: Mastering the Best Practices for Code Deployment

WordPress Auto Sign-On with IIS7 and a Plugin

For our WordPress engine, Simple LDAP Login provides sign-on through Active Directory via Active Directory credentials.

Maarten Balliauw user avatar by
Maarten Balliauw
·
May. 08, 11 · News
Like (0)
Save
Tweet
Share
21.43K Views

Join the DZone community and get the full member experience.

Join For Free

For our RealDolmen blog platform, where we use Wordpress as the engine running multiple external and internal blogs (yes, that’s an internal SaaS we have there!), we wanted to have an easy solution for our employees to sign-on to the platform. We had a look at the Wordpress plugin repository and found the excellent Simple LDAP Login plugin for providing sign-on through Active Directory. This allowed for sign-on using Active Directory credentials. However, when browsing the blogs from the corporate network, the login page is one extra step in the way of users: they are already logged on to the network, so why sign-on again using the same credentials?

Luckily for us, we are hosting Wordpress on Windows, IIS 7 and SQL Server. Shocked? No Linux, MySQL, .htaccess and mod_rewrite there! And it works perfectly. In fact, we get some extras for free: single sign-on is made possible by IIS!

Configuring Windows Authentication in IIS7

In order to provide a single sign-on scenario for Wordpress on IIS, simply enable Windows Authentication in the IIS7 management console, like so:

Windows Authentication in IIS - Wordpress, PHP

If you now browse to the Wordpress site… Nothing happens! Except the normal stuff: a non-logged-in version of the site is displaying… The reason for this is obvious: anonymous authentication is also enabled and is higher up the chain, hence IIS7 refuses to authenticate the user using his Active Directory credentials… One solution may be to reverse the order, but that would mean *every* single user is required to sign-on. Not the ideal situation… And that’s where our custom plugin for Wordpress comes in handy, heck, we’re even sharing it with you so you can use it too!

Fooling IIS7 when required…

A solution to the fact that anonymous authentication is higher up the chain in IIS7 and that this is required by the fact that we don’t want everyone to have to login, is fooling IIS7 into believing that Windows Authentication is higher up the chain in some situations… And why not do that from PHP and wrap that “hack” into a Wordpress plugin?

The basis for our plugin is the following: whenever a user browses the website and uses Internet Explorer (sorry, no support for this in the other browsers…), Windows Authentication is a possibility. The only step left is triggering this, which is pretty easy: if you detect a user is coming from the local LAN and is using Internet Explorer (on Windows), send the user a HTTP/1.1 401 Unauthorized header. This will make IE send out the Windows Authentication token to the server and will also trick IIS7 into thinking that anonymous authentication failed, which will immediately trigger Windows Authentication server-side as well.

Now how to do this in a Wordpress plugin? Well, simple: hook into 2 events Wordpress offers, namely init and login_form. Init? Well, yes! You want users to automatically sign-on when coming from the LAN. There’s no better hook to do that than init. The other one is obvious: if a user somehow lands at the login page and is coming from the local LAN, you want that page to be skipped and use Windows Authentication there. Here’s some simplified code for registering the hooks:

1<?php
2add_action('init','iisauth_auto_login');
3add_action('login_form','iisauth_wp_login_form');

Next, implementation! Let’s start with what happens on init:

1function iisauth_auto_login() {
2if (!is_user_logged_in() && iisauth_is_lan_user() && iisauth_using_ie()) {
3        iisauth_wp_login_form();
4    }
5}

As you can see: whenever we suspect a user is coming from the internal LAN and is using IE, we call the iisauth_wp_login_form() method (which “by accident” also gets triggered when a user is on the login page). Here’s that code:

 1function iisauth_wp_login_form() {
 2// Checks if IIS provided a user, and if not, rejects the request with 401
 3    // so that it can be authenticated
 4if (iisauth_is_lan_user() && iisauth_using_ie() &&empty($_SERVER["REMOTE_USER"])) {
 5        nocache_headers();
 6header("HTTP/1.1 401 Unauthorized");
 7ob_clean();
 8exit();
 9    } elseif (iisauth_is_lan_user() && iisauth_using_ie() &&!empty($_SERVER["REMOTE_USER"])) {
10if (function_exists('get_userdatabylogin')) {
11$username=strtolower(substr($_SERVER['REMOTE_USER'],strrpos($_SERVER['REMOTE_USER'],'\\') +1));
12
13$user= get_userdatabylogin($username);
14if (!is_a($user,'WP_User')) {
15// Create the user
16$newUserId= iisauth_create_wp_user($username);
17if (!is_a($newUserId,'WP_Error')) {
18$user= get_userdatabylogin($username);
19                }
20            }
21
22if ($user&&$username==$user->user_login) {
23// Clean buffers
24ob_clean();
25
26// Feed WordPress a double-MD5 hash (MD5 of value generated in check_passwords)
27$password=md5($user->user_pass);
28
29// User is now authorized; force WordPress to use the generated password
30$using_cookie=true;
31                wp_setcookie($user->user_login,$password,$using_cookie);
32
33// Redirect and stop execution
34$redirectUrl= home_url();
35if (isset($_GET['redirect_to'])) {
36$redirectUrl=$_GET['redirect_to'];
37                }
38                wp_redirect($redirectUrl);
39exit;
40            }
41        }
42    }
43}

What happens here is that the authentication header is sent when needed, and once a user is provided by IIS we just log the user in to Wordpress and redirect him. The real “magic” is in this part:

1// Checks if IIS provided a user, and if not, rejects the request with 401
2// so that it can be authenticated
3if (iisauth_is_lan_user() && iisauth_using_ie() &&empty($_SERVER["REMOTE_USER"])) {
4    nocache_headers();
5header("HTTP/1.1 401 Unauthorized");
6ob_clean();
7exit();
8}

Which does exactly what I described before in this post…

Download

Well of course, feel free to use this plugin! Here’s the source code: iisauth.zip (1.44 kb)

(And big thanks to our marketing manager for allowing me to distribute this little plugin! Again proof for the no-nonsense spirit at RealDolmen!)

WordPress

Published at DZone with permission of Maarten Balliauw, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Easy Microdata in WordPress
  • Why PHP Is More Hated and Popular Than Ever Before
  • Deploy WordPress on AWS Using OpenEBS
  • Deploy WordPress on Kubernetes in 15 Minutes Using Helm

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: