|
Home > Archive > IIS Server Security > May 2005 > IIS6 and Authentication across Servers and Domains
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS6 and Authentication across Servers and Domains
|
|
| jamesaevans@hotmail.com 2005-05-24, 8:37 am |
| Hi,
I am hoping that someone may be able to help me resolve the following
issue when trying at authentication across servers and domains.
Each of the client computers will be a member of one domain (Domain_A)
and each of the servers will be a member of a second domain (Domain_B).
The user will login into each domain with a separate username and
password held in Active Directory.
A trust is currently not in place between these two domains and it
unlikely that one can be created. As the user's device is not in the
same domain as the servers I am using Basic authentication (configured
for IIS on all servers) rather than Integrated authentication. Is this
the correct approach?
I am trying to achieve the following scenario:
1) The user logs onto their client device in the first domain e.g.
Domain_A\User_A
2) The user launches IE6 and enters the URL of a web page on one of the
servers in the second domain e.g. http://Domain_B/Server_1/Index.html
3) The user is prompted to enter their username and password for the
second domain to access the webpage e.g. Domain_B\User_1
4) The web page is displayed to the user. The web page contains
personalised content, so I cannot use an anonymous login.
So far so good
5) The user clicks on a link to a web page on another server in the
second domain e.g. http://Domain_B/Server_2/Index.html and the web page
is displayed
At this point the user is prompted to enter their username and password
for a second time. Is it possible to display the web page on the
second server without requiring the user to re-enter the same username
and password they provided when accessing the first server?
All suggestions would be most appreciated.
James
| |
| Ken Schaefer 2005-05-24, 8:37 am |
| <jamesaevans@hotmail.com> wrote in message
news:1116937988.368720.264950@g43g2000cwa.googlegroups.com...
: A trust is currently not in place between these two domains and it
: unlikely that one can be created. As the user's device is not in the
: same domain as the servers I am using Basic authentication (configured
: for IIS on all servers) rather than Integrated authentication. Is this
: the correct approach?
Since you are connecting to an IIS server in DomainB, whether you use Basic,
Digest or Integrated is irrelevant. The only thing that won't work is
Kerberos authentication (unless you create the trust), but the NTLM part of
IWA will work.
: I am trying to achieve the following scenario:
:
: 5) The user clicks on a link to a web page on another server in the
: second domain e.g. http://Domain_B/Server_2/Index.html and the web page
: is displayed
:
: At this point the user is prompted to enter their username and password
: for a second time. Is it possible to display the web page on the
: second server without requiring the user to re-enter the same username
: and password they provided when accessing the first server?
You need to look at SSO (single sign on) solutions. A browser doesn't send
the user's credentials (especially using Basic authentication, which has the
username and password in clear text) to any old server on the internet
without the user's permission. Just because the user OKed sending the
credentials doesn't mean that the browser is going to take it upon itself to
send these clear-text credentials to some other arbitrary server on the
'net.
Cheers
Ken
|
|
|
|
|