| dareag 2007-02-26, 1:18 pm |
| Thanks for the response.
Just to confirm, not all users will have an account in the AD domain. I
would like to acheive Single sign on, (SSO), where possible.
So I will allow NTLM first and then use Basic. I'm not sure about running 2
different VDIRs, I guess I'll need to try it. The other thought was to use a
filter to remove NTLM after the first 401 failure, and then get IIS to use
Basic so that I can validate against my local database.
Many Thanks
Dave
--
regards Dave
"DaveMo" wrote:
> On Feb 24, 12:28 am, "Kirit Sælensminde"
> <kirit.saelensmi...@gmail.com> wrote:
>
> Hi Dave,
>
> Will your users that have a valid AD account be connecting through
> workstations that are joined to the domain? I'm trying to understand
> whether you would like to preserve the good user experience of
> intranet SSO that you normally get with AD credentials in this
> scenario.
>
> If so then you want to try NTLM first (anonymous not allowed). This
> allows IIS to challenge the browser session for default creds that
> might work. If the default creds don't work, i.e. the user's not
> logged on with his AD creds. Before IIS returns an error for
> unauthenticated access you'd want to trap that and instead initiate a
> Basic logon sequence via a redirect to another page. I think I would
> probably prefer forms-based authentication for the scenario, but
> that's up to you of course.
>
> I don't know if you have to do something like create two versions of
> the app in two different VDIRs in order to make this work. I've had
> that thought before when trying to figure out how to make IIS use two
> completely different forms of AuthN but have never gone through the
> process of trying to set it up to see how it works.
>
> HTH.
>
> Dave
>
>
|