Wordpress auto sign-on with IIS7 and a plugin

For our RealDolmen blog platform, where we use Wordpress as the engine running multiple external and internal blogs (yes, that’s an internal SaaS we have there!), we wanted to have an easy solution for our employees to sign-on to the platform. We had a look at the Wordpress plugin repository and found the excellent Simple LDAP Login plugin for providing sign-on through Active Directory. This allowed for sign-on using Active Directory credentials. However, when browsing the blogs from the corporate network, the login page is one extra step in the way of users: they are already logged on to the network, so why sign-on again using the same credentials?

Luckily for us, we are hosting Wordpress on Windows, IIS 7 and SQL Server. Shocked? No Linux, MySQL, .htaccess and mod_rewrite there! And it works perfectly. In fact, we get some extras for free: single sign-on is made possible by IIS!

Configuring Windows Authentication in IIS7

In order to provide a single sign-on scenario for Wordpress on IIS, simply enable Windows Authentication in the IIS7 management console, like so:

Windows Authentication in IIS - Wordpress, PHP

If you now browse to the Wordpress site… Nothing happens! Except the normal stuff: a non-logged-in version of the site is displaying… The reason for this is obvious: anonymous authentication is also enabled and is higher up the chain, hence IIS7 refuses to authenticate the user using his Active Directory credentials… One solution may be to reverse the order, but that would mean *every* single user is required to sign-on. Not the ideal situation… And that’s where our custom plugin for Wordpress comes in handy, heck, we’re even sharing it with you so you can use it too!

Fooling IIS7 when required…

A solution to the fact that anonymous authentication is higher up the chain in IIS7 and that this is required by the fact that we don’t want everyone to have to login, is fooling IIS7 into believing that Windows Authentication is higher up the chain in some situations… And why not do that from PHP and wrap that “hack” into a Wordpress plugin?

The basis for our plugin is the following: whenever a user browses the website and uses Internet Explorer (sorry, no support for this in the other browsers…), Windows Authentication is a possibility. The only step left is triggering this, which is pretty easy: if you detect a user is coming from the local LAN and is using Internet Explorer (on Windows), send the user a HTTP/1.1 401 Unauthorized header. This will make IE send out the Windows Authentication token to the server and will also trick IIS7 into thinking that anonymous authentication failed, which will immediately trigger Windows Authentication server-side as well.

Now how to do this in a Wordpress plugin? Well, simple: hook into 2 events Wordpress offers, namely init and login_form. Init? Well, yes! You want users to automatically sign-on when coming from the LAN. There’s no better hook to do that than init. The other one is obvious: if a user somehow lands at the login page and is coming from the local LAN, you want that page to be skipped and use Windows Authentication there. Here’s some simplified code for registering the hooks:

1 <?php 2 add_action('init','iisauth_auto_login'); 3 add_action('login_form','iisauth_wp_login_form');

Next, implementation! Let’s start with what happens on init:

1 function iisauth_auto_login() { 2 if (!is_user_logged_in() && iisauth_is_lan_user() && iisauth_using_ie()) { 3 iisauth_wp_login_form(); 4 } 5 }

As you can see: whenever we suspect a user is coming from the internal LAN and is using IE, we call the iisauth_wp_login_form() method (which “by accident” also gets triggered when a user is on the login page). Here’s that code:

1 function iisauth_wp_login_form() { 2 // Checks if IIS provided a user, and if not, rejects the request with 401 3 // so that it can be authenticated 4 if (iisauth_is_lan_user() && iisauth_using_ie() &&empty($_SERVER["REMOTE_USER"])) { 5 nocache_headers(); 6 header("HTTP/1.1 401 Unauthorized"); 7 ob_clean(); 8 exit(); 9 } elseif (iisauth_is_lan_user() && iisauth_using_ie() &&!empty($_SERVER["REMOTE_USER"])) { 10 if (function_exists('get_userdatabylogin')) { 11 $username=strtolower(substr($_SERVER['REMOTE_USER'],strrpos($_SERVER['REMOTE_USER'],'\\') +1)); 12 13 $user= get_userdatabylogin($username); 14 if (!is_a($user,'WP_User')) { 15 // Create the user16 $newUserId= iisauth_create_wp_user($username); 17 if (!is_a($newUserId,'WP_Error')) { 18 $user= get_userdatabylogin($username); 19 } 20 } 21 22 if ($user&&$username==$user->user_login) { 23 // Clean buffers24 ob_clean(); 25 26 // Feed WordPress a double-MD5 hash (MD5 of value generated in check_passwords)27 $password=md5($user->user_pass); 28 29 // User is now authorized; force WordPress to use the generated password30 $using_cookie=true; 31 wp_setcookie($user->user_login,$password,$using_cookie); 32 33 // Redirect and stop execution34 $redirectUrl= home_url(); 35 if (isset($_GET['redirect_to'])) { 36 $redirectUrl=$_GET['redirect_to']; 37 } 38 wp_redirect($redirectUrl); 39 exit; 40 } 41 } 42 } 43 }

What happens here is that the authentication header is sent when needed, and once a user is provided by IIS we just log the user in to Wordpress and redirect him. The real “magic” is in this part:

1 // Checks if IIS provided a user, and if not, rejects the request with 401 2 // so that it can be authenticated3 if (iisauth_is_lan_user() && iisauth_using_ie() &&empty($_SERVER["REMOTE_USER"])) { 4 nocache_headers(); 5 header("HTTP/1.1 401 Unauthorized"); 6 ob_clean(); 7 exit(); 8 }

Which does exactly what I described before in this post…

Download

Well of course, feel free to use this plugin! Here’s the source code: iisauth.zip (1.44 kb) [update] Code for Wordpress 3.1+: IISAUTH.PHP (3.4KB)

(And big thanks to our marketing manager for allowing me to distribute this little plugin! Again proof for the no-nonsense spirit at RealDolmen!)

This is an imported post. It was imported from my old blog using an automated tool and may contain formatting errors and/or broken images.

Leave a Comment

avatar

27 responses

  1. Avatar for Kerry Fitzgerald
    Kerry Fitzgerald August 1st, 2013

    Once this plugin is activated, can you still manage users' roles and capabilities through the WP Dashboard? My goal is to give certain users access to pages while restricting the rest of the users to these pages. Note: I currently accomplish this task through a plugin (I believe it's called User Access Management).

  2. Avatar for Maarten Balliauw
    Maarten Balliauw August 1st, 2013

    Yes you can :-)

  3. Avatar for Kerry Fitzgerald
    Kerry Fitzgerald August 1st, 2013

    Okay, one more question. The plugin appears to work perfectly. The only problem is that when I activated the plugin I could no longer login to the WP Adimin Dashboard since my username/password for Active Directory does not match the username/password for the WP Admin. This totally locked me out of editing the WP site so I was forced to remove the PHP script from the plugin folder in order to manually deactivate the plugin. I then went in and changed my AD username/password credentials to the role of administrator. Now I'm not sure if there are any capabilities that I won't have that would otherwise be available if I logged in as the WP Admin. Did I miss a step? How do others continue to manage the WP site through the Admin account (since you can't log out once this plugin is activated). Hope this makes sense.

  4. Avatar for Maarten Balliauw
    Maarten Balliauw August 1st, 2013

    The usernames should match, so best is to enable the plugin, login using AD, disable it again and then assign that specific AD users admin permissions.

  5. Avatar for Kerry Fitzgerald
    Kerry Fitzgerald August 1st, 2013

    Okay, that worked great. This plugin is fantastic. Last question (I hope). For some reason, some of our employees are being prompted to enter in their credentials in order to connect to the WP site where others are automatically logged in. I can't seem to pinpoint the problem. Any suggestions?

  6. Avatar for Maarten Balliauw
    Maarten Balliauw August 2nd, 2013

    Guessing they are all using different browsers? IE should automatically sign in when in the same network. Chrome and Firefox will always prompt.

  7. Avatar for Kerry Fitzgerald
    Kerry Fitzgerald August 2nd, 2013

    Everyone uses the same browsers (IE 9 inside of a Citrix Environment). The only thing that could be different, is individual settings within each browser.

  8. Avatar for James Curtis
    James Curtis September 9th, 2013

    can you briefly tell me how to install the plugin activate it. I am new to wordpress. We have a simliar setupt what you described above. IIS7.0, Windows Server 2008 R2, wordpress, mysql

  9. Avatar for Matt
    Matt September 11th, 2013

    We have installed your plugin and it works very well! The only issue we would like to fix is being able to assign specific users to wordpress roles on first login when the account is created. At the moment it assigns everyone as a subscriber, is it possible to customise this? Also, it would be great if it populated the users firstname & lastname in wordpress with the users active directory first & last name instead of the username. We need support for multiple browsers as well.

    Unfortunately I'm not a coder, is there any chance getting your services?
    Many thanks!

  10. Avatar for Gerald
    Gerald October 7th, 2013

    Is it possible to allow sign-on from the Internet as well through this? I would like Wordpress to use AD usernames/passwords from the Internet and auto-sign on internally.

  11. Avatar for David
    David January 2nd, 2014

    I think it's great that you've shared this plugin.

    I have a similar situation, but slightly different technology.

    I have a windows exchange server where the usernames and passwords are stored.

    I have a separate windows 2012 server for the wordpress install.

    I have followed your steps and installed the updated code for the plugin, but it's not working.

    Do you have any thoughts as to what I might need to do to get it working?

  12. Avatar for jamblosaints
    jamblosaints January 13th, 2014

    Hi there

    Have been using this wondering plugin for a good while to great success. However we've just discovered an issue where users with hyphens (-) in their names, eg. Bob Jones-Smith is not being logged in automatically. They can still login, but have to use wp-login. It seems the hyphen does not make it through the IIS Authentication Plugin.

    Do you know of any methods we can use to solve this?

    Many thanks,
    James

  13. Avatar for Maarten Balliauw
    Maarten Balliauw January 13th, 2014

    Can you check if the $_SERVER['REMOTE_USER'] variable holds the full username?

  14. Avatar for jeremyflint
    jeremyflint March 18th, 2014

    Has this been tested on a Windows 2012 Server with IIS8? I have a server running with that plus PHP 5.4. We are running the Simple intranet plugin which requires logging in to view the site. Do I need to have Simple LDAP activated along with this plugin?

  15. Avatar for Adrian
    Adrian May 26th, 2014

    Once I log in it works fine to keep me logged in but It keeps asking me for my credentials every time I open internet explorer. Is this how it is meant to work or should it just be automatic?

  16. Avatar for Maarten Balliauw
    Maarten Balliauw May 26th, 2014

    Should be automatic, best check the IP ranges in the plugin code as it may have to do with that.

  17. Avatar for Adrian
    Adrian May 26th, 2014

    Thanks for the quick response. I've already updated them.

    I did play around with the wp_setcookie parameters and added a few more as per the function library on the WP website. Adding true as the keep me signed in keeps me signed in when I close IE. But for first time ever users it still asks for the credentials which shouldn't be all that bad.

    The IE check wasn't picking up I was using IE so I commented it out and now it seems to work in Chrome as well.

  18. Avatar for Wayne
    Wayne June 23rd, 2014

    I can't seem to get the plugin to show up in the list to be activated. I downloaded the updated version (for WP 3.1+) which is just the IISAUTH.PHP file. I then created a plugin directory called iisauth and added the php file. I also added Windows Authentication and restarted the server. What am I missing?

  19. Avatar for Wayne
    Wayne June 23rd, 2014

    OK, I forgot about the lower case file name. Now it's activated. But it's not working. I still find myself needing to log in, even after disabling anonymous in IIS and adding/enabling Windows authentication. I also added wpDirAuth for LDAP login so I could add myself as a user. So what am I missing this time?
    Using 2008 R2 64 bit, WP 3.9.1, IIS 7

  20. Avatar for David Thomas
    David Thomas July 21st, 2014

    Hi,

    I am using wordpress 3.9.1 and I have downloaded the updated version and created a folder called "iisauth" in the plugin directory, however when I go to the plugin section of the website I cant see it to be activated.

    Am I missing something?

    Thanks

  21. Avatar for Fiyas
    Fiyas February 25th, 2015

    Hi

    Can I use Active Directory Integration plugin https://wordpress.org/plugi... or do i have to use Simple LDAP Login plugin for providing sign-on through Active Directory for this.

    My intention is when a user logs in to the computer using his user id he doesn't have to again login to the site . it has to automatically login to the site using his userid of active directory. Mine is an intranet site.

    Does this work for the for this case.

  22. Avatar for Tom
    Tom June 25th, 2015

    Hi Maarten !
    Still having the same problems Wayne had!
    I can't seem to get the plugin to show up in the list to be activated. I downloaded the updated version (for WP 3.1+) which is just the IISAUTH.PHP file. I then created a plugin directory called iisauth and added the php file and renamed it to iisauth.php. But it just won't show up to be activated. What am I doing wrong ?
    The WP is actually 4.2.2 ...

  23. Avatar for Tom
    Tom June 25th, 2015

    Thanks - now it's working !

  24. Avatar for BMC
    BMC February 17th, 2016

    Hi Maarten

    I have to thank you firstly for this awesome plugin which integrates well in our intranet environment.

    I am not sure if you have any time for this, but I have a quick question.

    A user does not have IE open (and by default in our environment logged into the blog), and we email them a direct link to a page, e.g. http://ourblog.int/pagename the plugin redirects back to the home page rather than the direct link.

    Is there a quick fix for this?

    Thank you

  25. Avatar for faiqhussain
    faiqhussain June 14th, 2016

    How did you change the cookies parameter? I also get prompts on some of my employees stations even though they are logged in.

  26. Avatar for Alexander
    Alexander June 27th, 2016

    Hi Maarten, should this plugin also be able to get the users email adress fra Active Directory?

  27. Avatar for alhatmi
    alhatmi October 2nd, 2017

    thnx for this plugin
    I need function or string to send login name to web service and retrieve display name
    How I can do that?