A common problem for NADI SSO environments is that company users are able to access the WordPress instance as they have valid Kerberos access token. External users, e.g. agencies or consultants, don't have these tokens as they are logged in into their own company network or don't have a valid account in the client's Active Directory.

How to disable Kerberos authentication for different networks?

If Kerberos has been enabled for a virtual host in Apache, there is no way to disable Kerberos and fall back to another authentication mechanism. This being said, it also not possible to enable Kerberos authentication for just one subnet and disable Kerberos for any other subnet.

Accessing the WordPress instance with a valid Active Directory account

If an external user has to access the site and does not own a Kerberos token, he will be presented with a login mask for basic authentication. The user has to enter valid Active Directory credentials to gain access to the WordPress instance. The Active Directory administrator has to make sure that the external user owns a valid AD account.

Accessing the WordPress instance through a second virtual host

It is also possible to create a second virtual host which has Kerberos not activated. You are ending up with having two virtual hosts like https://sso.test.ad (with Kerberos) and https://no-sso.test.ad (without Kerberos).

  • Restrict access to the no-sso.test.ad on a per subnet restriction.
  • Use a WordPress plug-in like Multiple Domain Mapping on Single Site to get the assets from the accessed domain. Please note that we are not associated with the plug-in. This is only a way to solve the problem.
  • Make sure that your WordPress installation (theme, plug-ins) does not rely on hard-coded URL for https://sso.test.ad as the access will fail because of a missing Kerberos token.