Hello,
To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain, the best MediaWiki extension I could find was NTLMActiveDirectory. https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
However, I had two peeves with this extension: 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and 2) Its use of LDAP; feels too much like a wart on Windows!
See, I'm sitting on an IIS box on a Windows domain with Integrated Windows Authentication enabled. By the time the MW extension gets hit, IIS has already authenticated the user, so why not just leverage that instead?
I therefore used NTLMActiveDirectory as a starting point, but threw out all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted handler to get the AD group membership for the already authenticated user. Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration required for authorization.
Personally, I find this solution much simpler and intuitive for AD integration when hosting MW on a Windows/IIS box.
Does this make sense to others in the community? Do others feel there was a need for a better AD integration extension? Would others in the community benefit from such an extension?
If so, I would be happy to share my work, following instructions found here: https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
Regards,
François