How to install DokuWiki on Windows Server 2003 with IIS, activate single sign-on (NTLM) and use Active Directory for user and group access control.

This instruction was tested with DokuWiki 2008-05-05, Windows Server 2003 R2 SP2, PHP 5.2.6 (nts, non-thread safe), adLDAP 2.1.

SSO (Single Sign-On, aka seamless authentication) tested with Windows XP SP3 (member of AD domain) and Internet Explorer 6.

DokuWiki - http://www.splitbrain.org/projects/dokuwiki
PHP – http://www.php.net, (download ZIP-file, nts/non-thread safe)
adLDAP - http://adldap.sourceforge.net/
FastCGI - http://www.microsoft.com/downloads/details.aspx?FamilyID=2d481579-9a7c-4632-b6e6-dee9097f9dc5&displaylang=en
Ntlm.class.php/dokuwiki_auth_ldap_1.3.zip - http://www.nosq.com/download/dokuwiki_auth_ldap_1.3.zip

FastCGI reference - http://www.iis.net/fastcgi/phpon60

1. Unpack PHP (nts, Non-thread safe) to C:\Bin\PHP. Make sure ”Authenticated Users” has at least Read/Execute on C:\Bin\PHP (and below), otherwise PHP won't work in IIS.
2. Copy C:\Bin\PHP\php.ini-recommended to C:\Bin\PHP\php.ini. Edit C:\Bin\PHP\php.ini, uncomment/add/change:

   include_path = ".;c:\bin\php\includes"
   extension_dir = "C:\Bin\PHP\ext"
   cgi.force_redirect = 0
   extension=php_ldap.dll
   cgi.fix_pathinfo=1
   fastcgi.impersonate = 1
   upload_tmp_dir = C:\Inetpub\wwwroot\dokuwiki\data\upload_tmp_dir

3. Install IIS. Standard installation (Control Panel → Add or Remove Programs → Windows Components → Application Server → select IIS).
4. Install FastCGI for IIS6, just run the MSI package.
5. Start a command prompt, go to C:\Windows\System32\inetsrv and run:

   cscript fcgiconfig.js -add -section:"PHP" -extension:php -path:"C:\Bin\PHP\php-cgi.exe"
   cscript fcgiconfig.js -set -section:"PHP" -InstanceMaxRequests:10000
   cscript fcgiconfig.js -set -section:"PHP" -EnvironmentVars:PHP_FCGI_MAX_REQUESTS:10000

6. Unpack DokuWiki to IIS directory structure, e g C:\Inetpub\wwwroot\dokuwiki. This instruction has only been tested with DokuWiki in the standard IIS directory structure.
7. Create C:\Inetpub\wwwroot\dokuwiki\data\upload_tmp_dir. When files are uploaded to DokuWiki (images etc), they will inherit the access rights from the upload directory. PHP moves the file to the correct destination in the media file structure.
8. [Optional but highly recommended] Add Active Directory groups to access rights for the dokuwiki folder. Example: add groups dw_admins, dw_edit and dw_readonly, dw_admins and dw_edit gets “full control”, dw_readonly gets “read”.
9. [Optional but highly recommended] Remove permission inheritance (copy current) on dokuwiki\conf, replace permissions on all child objects. Give the local IUSR_<comptername> user full control, remove dw_edit and dw_readonly group permissions.
10. [Optional but highly recommended] Remove permission inheritance (copy current) on dokuwiki\data , replace permissions on all child objects. Give the local IUSR_<comptername> user full control.
11. [Optional but highly recommended] Remove permission inheritance (copy current) on dokuwiki\data\cache , replace permissions on all child objects. Give dw_readonly “modify” permissions.
12. Create a virtual web for DokuWiki in IIS, IIS Services Manager → right click Web Sites → New → Web Site. Choose port, select C:\Inetpub\wwwroot\dokuwiki (allow anonymous access), make sure Execute permission is selected.
13. Right-click the dokuwiki virtual web → Properties → Documents → Add… → insert ”index.php” and move it to the top of the list.
14. Run the configuration script, http://yourdokuwikiservername:port/install.php. Select a “Closed Wiki” if you intend to use ACL settings to control access (this instruction is tested on a closed wiki). If local.php can't be created, make sure that the local IUSR_<comptername> user has full control on the …\dokuwiki\conf and …\dokuwiki\data directories (and below).
15. Rename C:\Inetpub\wwwroot\dokuwiki\install.php to something else.
16. Open a browser and go to http://yourdokuwikiservername:port/. The first page of DokuWiki should come up, if not, check IIS Documents setting (index.php should be there) and access rights to C:\bin\php (Authenticated Users, see above).
17. Add Active Directory group permissions to ACL settings, ie add @dw_admins to the root and give them highest possible permissions.

Reference - http://tdoks.blogspot.com/2007/04/setting-up-dokuwiki-on-iis-with.html

1. Verify that @dw_admins has correct ACL permissions in the Wiki.
2. Verify that PHP has the extension for LDAP activated.
3. Create the directory C:\Bin\PHP\Includes, copy adLDAP.php there and edit it:

   var $_account_suffix="@yourdomain.tld";
   var $_base_dn = "DC=yourdomain,DC=tld"; 
   var $_domain_controllers = array ("yourdc1.yourdomain.tld","yourdc2.yourdomain.tld");
   var $_ad_username="<a regular non-admin AD user>";
   var $_ad_password="<the regular non-admin AD user's password>";
   var $_real_primarygroup=false;

4. Unpack ntlm.class.php (from dokuwiki_auth_ldap_1.3.zip) to C:\Inetpub\wwwroot\dokuwiki\inc\auth and edit it:

   require_once('adLDAP.php'); // <- Original file uses wrong file name!
    
   // Replace the existing function with this:
   function _sanitizeGroupName($name) {
     $sName=iconv("UTF-8","ISO-8859-1",$name);
     return $sName;
   }
    
   // Uncomment the NTLM section in the checkPass function and add comment to the last return:
   function checkPass($user, $pass){
     // verify that IIS has authenticated this person via NTLM
    
     if(isset($_SERVER['AUTH_USER']) and isset($_SERVER['AUTH_TYPE'])) {
       return true;
     } else {
       return false;
     }
    
     //return $this->adldap->authenticate($user, $pass);
   }

5. Create the file C:\Inetpub\wwwroot\dokuwiki\conf\local.protected.php:

   <?php
    
   $conf['useacl']      = 1;
   $conf['openregister']= 0;
   $conf['authtype']    = 'ntlm'; 
   $conf['passcrypt']   = 'ssha';
   $conf['autopasswd']  = 0;
   $conf['auth']['ntlm']['debug'] = 0;
    
   // Active Directory group that is superuser for DokuWiki
   $conf['superuser'] = '@dw_admins';
    
   // Strip NT-domain from AUTH_USER, "DOMAIN\username" -> "username", before saving it.
   if (isset($_SERVER['AUTH_USER']) and !isset($_SESSION[$conf['title']]['auth']['info'])) {
     list($d, $username) = split("\\\\", strtolower($_SERVER['AUTH_USER']), 2);
     $_GET['u'] = $username;
   }

6. Verify that C:\Inetpub\wwwroot\dokuwiki\conf\local.php includes local.protected.php, if not add (not necessary in DokuWiki-2009-02-14+):

   @include(DOKU_CONF.'local.protected.php');

7. Start a command prompt, go to C:\Bin\PHP and verify that the above edits are correct:

   php.exe -l c:\Bin\php\includes\adLDAP.php
   php.exe -l c:\Inetpub\wwwroot\dokuwiki\conf\local.protected.php
   php.exe -l c:\Inetpub\wwwroot\dokuwiki\inc\auth\ntlm.class.php

   The result should be “No syntax errors detected in …” on all files.

8. Disable anonymous access to the virtual web: in IIS Services Manager, right click the DokuWiki virtual web → Properties → Directory Security → (Authentication and access control) Edit… → deselect “Enable anonymous access”, verify that “Integrated Windows authentication” is selected.
9. Close down your web browser, start a new session (with a user that is a member of the dw_admins group) and go to http://yourdokuwikiserver:port/. If all is correct, you should be automatically authenticated and logged on in DokuWiki. If SSO doesn't work, re-add Anonymous Access on the virtual web and verify everything above. If you need to log on as dokuwiki local admin: comment out the lines for ”authtype” and ”superuser” in local.protected.php.
10. When everything works as expected, log in as an admin user and set ACL's to your taste.

• I have not been able to install a functional WYSIWYG editor in the above IIS environment. Updated plugins (not Perl dependent) may solve this in the future.
• Several plugins behave strangely, most of them work better in a Apache/Linux environment.
• Mozilla Firefox users have to change their configuration to allow NTLM,http://www.shog9.com/log/archives/7-Painless-NTLM-authentication-in-Firefox.html
• All clients have to authenticate against Active Directory. This means that Linux (and other non-Windows/AD) users that do not use AD for authentication will not be able to use the wiki.