Fork me on GitHub

On this page we will show you how to configure your Windows and IIS environment in order to use NADI SSO.

If you require help in setting up your Next Active Directory Integration installation we offer you consultation services and support.
Get in touch!

Enable Windows Authentication




  1. Open the IIS Manager and select the site under which your WordPress environment runs. In our case we use the "Default Web Site".
  2. After that double click "Authentication"

Now you have to configure the authentication settings of your site.




  1. Disable Anonymous Authentication
  2. Enable Windows Authentication
  3. With Windows Authentication selected, click on the Providers link in the right Action panel

Now the following window should appear. Please add the providers as shown in the picture. The order has to be Negotiate over NTLM!




After that close the window by pressing OK.




  1. For the next step please select your site on the left panel
  2. After that double click the Configuration Editor



Now please select *windowsAuthentication* from the dropdown menu



Please change *useKernelMode* to *True* and save the settings by pressing *Apply* button in the upper right corner.

At last please restart your IIS.

Configure SPNs

In our example we imagine the following scenario

Hostname Domain FQDN hostname
nadi-ts test.ad nadi-ts.test.ad
  1. Open a console and type hostname in order to see the hostname of your machine.

  2. Now type the following to receive a list of all SPNs registered for your machine

    setspn -L yourMachineName 
    

    This should output a list like



  1. You now have to add a HOST and a http SPN for the address of your WordPress environment which has to equal the hostname. To do this type the following commands:

    setspn -a HOST/yourHostName yourMachineName
    setspn -a http/yourHostName yourMachineName
    
  2. Check if the SPNs were added successfully by typing

    setspn -L yourMachineName
    



If your hostname contains a port (e.g. *nadi-ts.test.ad:81/wordpress*) do __not__ add the port to the SPNs. This is only required for older environments up to Windows 7 and Windows Server 2008.

Configure browsers

You have to configure the browsers you are using.

Test authentication

You can use Fiddler to test the Kerberos configuration.

  1. Start Fiddler
  2. Open your browser and go your WordPress instance for which have previously enabled Kerberos
  3. In Fiddler select the last request from the list. In the right panel below Inspectors > Headers > Auth you should see the message
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply



If you have been successfully logged in into your WordPress environment you should find the following log message in the nadi-debug.log

If you require help in setting up your Next Active Directory Integration installation we offer you consultation services and support.
Get in touch!