Installing Mediawiki with active directory passthrough authentication (Debian Jessie)

Introduction

During my job I run into a lot of stuff that needs figuring out, just like this one so I decided to start a blog and write this stuff down primarily for my own reference but it could be useful to others as well.

What I wanted to do this time was set up Mediawiki to automatically login using the user’s Active Directory credentials and create the mediawiki account if it didn’t exist. This proved to be very hard, there was some stuff written on it but not just one good how-to that has been put together. I had to search for the individual parts, e.g. how to handle kerberos authentication through Apache, which extension I would need for mediawiki etc. all in all very confusing.

I always want the best possible solution as well so I didn’t want to use NTLM. Most solutions were based on that but NTLM is outdated and insecure so I really wanted to use Kerberos which at the end once you know how to set it up is far less of a hassle than NTLM anyway.

Installing Debian Jesse

So first step is to get a Linux server running, I’m using Debian Jesse for this tutorial but it should work with minor adjustments with any other linux distro as well. I won’t cover the installation of Debian here, you should know how to do that and it’s fairly straight forward anyway.

Just make sure your machine has a static IP address and resolves correctly in your DNS, including reverse lookup. This is important since Kerberos relies heavily on DNS so if your DNS is a mess it won’t work.

Installing and configuring NTP

One other thing Kerberos relies heavily on is time. If the time on your Linux box is too much off from the domain controller’s clock, you will get error messages like kerberos ticket not yet valid, or expired so it’s important to install NTP to sync your clock with the domain controller and keep it in sync in the future.

  • So first install the NTP components: apt-get install ntp ntpdate
  • Add it to boot: systemctl enable ntp
  • Sync your clock to the domain controller: ntpdate -B -q <Windows DC>
  • Edit /etc/ntp.conf, replace the servers with your domain controller(s).
  • Start NTP: systemctl start ntp

Installing and configuring Kerberos

This is the next step, kerberos is needed for the passthrough authentication.

  • Install the required components: apt-get install krb5-config krb5-user
  • Edit /etc/krb5.conf and replace everything with the content below.

Remember to respect the caps, so if your domain is DOMAIN.local you should still use DOMAIN.LOCAL if it says so below. These are not typos!


[libdefaults]
default_realm = AD-DOMAIN.LOCAL

[realms]
AD-DOMAIN.LOCAL =
{
kdc = dc01.domain.local:88
admin_server = dc01.domain.local
default_domain = ad-domain.local
}

[domain_realm]
ad-domain.local = AD-DOMAIN.LOCAL
.ad-domain.local = AD-DOMAIN.LOCAL

[login]
krb4_convert = true
krb4_get_tickets = false


If you want to add more servers as failover just add new lines, like this:

kdc = dc01.ad-domain.local:88
kdc = dc02.ad-domain.local:88

    You can do this for every option in there.

Now, to test if your authentication works, logon with a domain admin account using kinit.

  • Type: kinit <ad username> (without domain).

It should auto add the domain name for you and ask the password for user@domain.local. Enter the password and press enter. It shouldn’t output anything but if you type ‘klist’ you should see your info. If you type ‘kdestroy’ it will remove your ticket and you can do it again.

Create the Active Directory computer account

Next thing we need is an AD computer account for the Linux machine. To do this first we need to install msktutil:

  • apt-get install msktutil.

Next step is to create the computer account. Remember where you logged on with your admin account using kinit? This is required otherwise you don’t have the required privileges to create the active directory computer account.

This is important! There will be no error output and the computer account doesn’t get created if you’re not authenticated with an account with the required privileges!

  • Type: msktutil -c

This will create the computer account for the linux machine in the AD computers container according to the hostname you’ve entered during installation. You can move the object anywhere you want once it’s created.

Next step is to create the SPNs in the Active Directory and create the keytab file for use with Apache.

  • Type this: msktutil --user-creds-only -k /etc/apache2/krb5_http.keytab -s HTTP -s HTTP/mediawiki --update --computer-name <computername> --dont-expire-password

You can see the ‘HTTP/mediawiki’ entry. This is the URL the user will use to enter the wiki (i.e. http://mediawiki) so change that to the name you want and make sure it exists in your DNS.

Now, for each other name the user can enter you need to repeat this command, so let’s say you want to register the FQDN as well, then do this:

  • msktutil --user-creds-only -k /etc/apache2/krb5_http.keytab -s HTTP -s HTTP/mediawiki.domain.local --update --computer-name <computername> --dont-expire-password

Now the passthrough works for http://mediawiki.domain.local as well.

Next thing you want to do is change the permissions on the keytab file so Apache has access to it, otherwise you will get a permission denied error.

  • chown root.www-data /etc/apache2/krb5.http.keytab
  • chmod 0640 /etc/apache2/krb5.http.keytab

Mediawiki installation.

Now for the final part, install mediawiki and the required components:

  • apt-get install mediawiki php5-gd php5-xcache php-pear php5-intl libapache2-mod-auth-kerb
  • Open /etc/mediawiki/apache.conf and uncomment the alias (so remove the #).
  • Open /etc/apache2/apache2.conf and add the next line at the end of the file:

Include /etc/mediawiki/apache.conf

  • Restart Apache: apachectl restart
  • Browse to http://<computername>/mediawiki and complete the installation.

Apache htaccess configuration.

  • CD to the /var/lib/mediawiki directory and create a .htaccess file with the following content:

AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodK5Passwd off #Set this to on if you want to allow wiki logons from outside of your domain (manual input).
Krb5Keytab /etc/apache2/krb5_http.keytab
Require valid-user


Mediawiki auth_remoteuser extension

Next thing you need is the auth_remoteuser extension, you can get it here
I’m not gonna cover the installation here, please see the website it’s very easy.

  • Once installed add the following content to the end of LocalSettings.php

require_once "$IP/extensions/Auth_remoteuser/Auth_remoteuser.php";
$wgAuth = new Auth_remoteuser();
$wgAuthRemoteuserAuthz = true;
$wgAuthRemoteuserName = $_SERVER["AUTHENTICATE_CN"];
$wgAuthRemoteuserMail = $_SERVER["AUTHENTICATE_MAIL"];
$wgAuthRemoteuserNotify = false;
$wgAuthRemoteuserDomain = "AD-DOMAIN.LOCAL";
$wgAuthRemoteuserMailDomain = "yourinetemaildomain.com";

// Don't let anonymous people do things...
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;


There’s another code snippet on the auth_remoteuser site to remove the logout and login links from your wiki, you might want to use that as well.

That’s it! Now if you browse to http://<computername>/mediawiki you will passthrough login with your AD domain credentials using kerberos and your account is automatically created!

This was tested wroking with IE 11 and Chrome 44 without changing any default settings.