This page contains a high level overview of the authentication process of Next Active Directory Integration

  • Based upon the entered username and the profile configuration of the current site the UPN suffix is extracted. The UPN suffix is required to distinguish multiple domains with same user principal. Because of this we use the userPrincipalName as identifier and not the sAMAccountName attribute.
  • For each authenticatable UPN suffix we try to authenticate against the Active Directory domain.
    • If the first domain controller is unavailable the second, third and so on are tried. We assume that each server is inside the same domain.
    • If authentication fails, the brute force protection handles the current user principal name and the next authenticatable suffix is tried.
  • After successful authentication the security groups of the user are mapped to WordPress roles
    • If Permissions > Authorize by group membership is enabled, the user must belong to one of the Active Directory security groups defined by Permissions > Authorization group(s) or the authentication fails
  • The user is created or updated. Based upon his Active Directory attributes we identify if he is already inside the WordPress database or requires a new WordPress account
  • After create/update ADI checks if the user is disabled. If it is so, the authentication fails