Transfer authentication token - how to single sign-on

Discussion in 'ASP .Net Security' started by Dave Slinn, Nov 13, 2005.

  1. Dave Slinn

    Dave Slinn Guest

    We have an ASP.NET app that uses Forms Authentication, but we wrote the
    authentication piece to query Active Directory for credentials approval.
    This is all working fine, but what I would like to do is provide a link from
    from our asp.net app to an Outlook Web Access server. When I do this,
    however, the Integrated Windows Authentication of OWA prompts the user for
    their password again. Is there any way to "pass" the approved Windows
    security token from our application to the Exchange server running OWA so
    the user is not prompted for their password if they have already authorized
    themselves to us? (Basically, how do you accomplish single sign-on with a
    Microsoft network... all users will be kept in a Windows 2003 Active
    Directory domain).

    - Thanks, Dave
     
    Dave Slinn, Nov 13, 2005
    #1
    1. Advertising

  2. Hello Dave,

    first of all - no you cannot do that.

    But why does OWA prompt for credentials?? aren't your users domain users?
    SSO should work out of the box ??!!

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > We have an ASP.NET app that uses Forms Authentication, but we wrote
    > the authentication piece to query Active Directory for credentials
    > approval. This is all working fine, but what I would like to do is
    > provide a link from from our asp.net app to an Outlook Web Access
    > server. When I do this, however, the Integrated Windows
    > Authentication of OWA prompts the user for their password again. Is
    > there any way to "pass" the approved Windows security token from our
    > application to the Exchange server running OWA so the user is not
    > prompted for their password if they have already authorized themselves
    > to us? (Basically, how do you accomplish single sign-on with a
    > Microsoft network... all users will be kept in a Windows 2003 Active
    > Directory domain).
    >
    > - Thanks, Dave
    >
     
    Dominick Baier [DevelopMentor], Nov 13, 2005
    #2
    1. Advertising

  3. Note that with Windows Server R2 and the new single sign on features in the
    Federated Identity system, you might be able to build something like this.
    It would depend on whether the new system supports OWA yet and you were
    willing to use the Federated identity system with your web app instead of
    the ASP.NET forms auth you implemented.

    Note that Dominick is absolutely right here in general.

    Joe K.

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Dave,
    >
    > first of all - no you cannot do that.
    >
    > But why does OWA prompt for credentials?? aren't your users domain users?
    > SSO should work out of the box ??!!
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> We have an ASP.NET app that uses Forms Authentication, but we wrote
    >> the authentication piece to query Active Directory for credentials
    >> approval. This is all working fine, but what I would like to do is
    >> provide a link from from our asp.net app to an Outlook Web Access
    >> server. When I do this, however, the Integrated Windows
    >> Authentication of OWA prompts the user for their password again. Is
    >> there any way to "pass" the approved Windows security token from our
    >> application to the Exchange server running OWA so the user is not
    >> prompted for their password if they have already authorized themselves
    >> to us? (Basically, how do you accomplish single sign-on with a
    >> Microsoft network... all users will be kept in a Windows 2003 Active
    >> Directory domain).
    >>
    >> - Thanks, Dave
    >>

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Nov 14, 2005
    #3
  4. Dave Slinn

    Dave Slinn Guest

    I will investigate the Federated Identity system you indicated.

    The reason OWA prompts for credentials is because the users are hitting this
    server from the Internet. Even though they are domain users, they haven't
    "logged on" to the network.

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > Note that with Windows Server R2 and the new single sign on features in
    > the Federated Identity system, you might be able to build something like
    > this. It would depend on whether the new system supports OWA yet and you
    > were willing to use the Federated identity system with your web app
    > instead of the ASP.NET forms auth you implemented.
    >
    > Note that Dominick is absolutely right here in general.
    >
    > Joe K.
    >
    > "Dominick Baier [DevelopMentor]" <>
    > wrote in message news:...
    >> Hello Dave,
    >>
    >> first of all - no you cannot do that.
    >>
    >> But why does OWA prompt for credentials?? aren't your users domain users?
    >> SSO should work out of the box ??!!
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>
    >>> We have an ASP.NET app that uses Forms Authentication, but we wrote
    >>> the authentication piece to query Active Directory for credentials
    >>> approval. This is all working fine, but what I would like to do is
    >>> provide a link from from our asp.net app to an Outlook Web Access
    >>> server. When I do this, however, the Integrated Windows
    >>> Authentication of OWA prompts the user for their password again. Is
    >>> there any way to "pass" the approved Windows security token from our
    >>> application to the Exchange server running OWA so the user is not
    >>> prompted for their password if they have already authorized themselves
    >>> to us? (Basically, how do you accomplish single sign-on with a
    >>> Microsoft network... all users will be kept in a Windows 2003 Active
    >>> Directory domain).
    >>>
    >>> - Thanks, Dave
    >>>

    >>
    >>

    >
    >
     
    Dave Slinn, Nov 15, 2005
    #4
  5. Hello Dave,

    the federated ID stuff is not even released...

    If the OWA server uses Intergrated Auth - and you configure IE to send credentials
    automatically to the OWA site, you will not get the password dialog.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I will investigate the Federated Identity system you indicated.
    >
    > The reason OWA prompts for credentials is because the users are
    > hitting this server from the Internet. Even though they are domain
    > users, they haven't "logged on" to the network.
    >
    > "Joe Kaplan (MVP - ADSI)" <>
    > wrote in message news:...
    >
    >> Note that with Windows Server R2 and the new single sign on features
    >> in the Federated Identity system, you might be able to build
    >> something like this. It would depend on whether the new system
    >> supports OWA yet and you were willing to use the Federated identity
    >> system with your web app instead of the ASP.NET forms auth you
    >> implemented.
    >>
    >> Note that Dominick is absolutely right here in general.
    >>
    >> Joe K.
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hello Dave,
    >>>
    >>> first of all - no you cannot do that.
    >>>
    >>> But why does OWA prompt for credentials?? aren't your users domain
    >>> users? SSO should work out of the box ??!!
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> We have an ASP.NET app that uses Forms Authentication, but we wrote
    >>>> the authentication piece to query Active Directory for credentials
    >>>> approval. This is all working fine, but what I would like to do is
    >>>> provide a link from from our asp.net app to an Outlook Web Access
    >>>> server. When I do this, however, the Integrated Windows
    >>>> Authentication of OWA prompts the user for their password again.
    >>>> Is there any way to "pass" the approved Windows security token from
    >>>> our application to the Exchange server running OWA so the user is
    >>>> not prompted for their password if they have already authorized
    >>>> themselves to us? (Basically, how do you accomplish single sign-on
    >>>> with a Microsoft network... all users will be kept in a Windows
    >>>> 2003 Active Directory domain).
    >>>>
    >>>> - Thanks, Dave
    >>>>
     
    Dominick Baier [DevelopMentor], Nov 15, 2005
    #5
  6. It is definitely true that the federated stuff is not released yet, but R2
    will likely ship before he even has time to get a test setup working. It is
    not very far off at this point.

    If it makes sense for his deployment, I think it is definitely worth looking
    at.

    Joe K.

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Dave,
    >
    > the federated ID stuff is not even released...
    >
    > If the OWA server uses Intergrated Auth - and you configure IE to send
    > credentials automatically to the OWA site, you will not get the password
    > dialog.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
     
    Joe Kaplan \(MVP - ADSI\), Nov 15, 2005
    #6
  7. Hello Joe,

    i am just a little reluctant to jump on that stuff right from the start :)

    but you agree that what he's trying to reach - access to OWA without popping
    up a password dialog - can also (most probably) be accomplished by proper
    configuration of IIS and IE ??


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > It is definitely true that the federated stuff is not released yet,
    > but R2 will likely ship before he even has time to get a test setup
    > working. It is not very far off at this point.
    >
    > If it makes sense for his deployment, I think it is definitely worth
    > looking at.
    >
    > Joe K.
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello Dave,
    >>
    >> the federated ID stuff is not even released...
    >>
    >> If the OWA server uses Intergrated Auth - and you configure IE to
    >> send credentials automatically to the OWA site, you will not get the
    >> password dialog.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
     
    Dominick Baier [DevelopMentor], Nov 15, 2005
    #7
  8. It sounds like he's on the public internet though and might not be able to
    take advantage of domain SSO as he might not be using domain member
    workstations or might not have access to the KDCs to get Kerberos tickets
    from the public internet.

    Otherwise, it would certainly make sense to take advantage of the built in
    stuff. Totally agreed there.

    I also wouldn't push someone into ADFS as the first solution, but it sounded
    like it might apply. It is not clear to me whether it works with OWA yet or
    not either, so that might not even be a solution. I'm guessing that it
    could given that other third party SSO solutions like RSA ClearTrust support
    OWA.

    Joe K.

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Joe,
    >
    > i am just a little reluctant to jump on that stuff right from the start :)
    >
    > but you agree that what he's trying to reach - access to OWA without
    > popping up a password dialog - can also (most probably) be accomplished by
    > proper configuration of IIS and IE ??
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
     
    Joe Kaplan \(MVP - ADSI\), Nov 15, 2005
    #8
  9. Hello Joe,

    you could use NTLM over SSL - and if IE is configured to send credentials
    automatically - they get SSO - assuming they logged on using cached logon
    credentials.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > It sounds like he's on the public internet though and might not be
    > able to take advantage of domain SSO as he might not be using domain
    > member workstations or might not have access to the KDCs to get
    > Kerberos tickets from the public internet.
    >
    > Otherwise, it would certainly make sense to take advantage of the
    > built in stuff. Totally agreed there.
    >
    > I also wouldn't push someone into ADFS as the first solution, but it
    > sounded like it might apply. It is not clear to me whether it works
    > with OWA yet or not either, so that might not even be a solution. I'm
    > guessing that it could given that other third party SSO solutions like
    > RSA ClearTrust support OWA.
    >
    > Joe K.
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello Joe,
    >>
    >> i am just a little reluctant to jump on that stuff right from the
    >> start :)
    >>
    >> but you agree that what he's trying to reach - access to OWA without
    >> popping up a password dialog - can also (most probably) be
    >> accomplished by proper configuration of IIS and IE ??
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
     
    Dominick Baier [DevelopMentor], Nov 15, 2005
    #9
  10. Dave Slinn

    Dave Slinn Guest

    Hey guys - I totally appreciate all the help and the discussion regarding my
    issue. Joe's right - the users hitting the site are not necessarily running
    on PCs that are members of our domain. For all I know, they could be at
    some internet cafe in japan, so i have no control over the browser, let
    alone the settings of it.

    All I know for sure, is that they have authenticated themselves with our
    ASP.NET application, and we have authorized them access to a page that
    contains a link to their Outlook Web Access email (running on a different
    port on a different server behind our firewall). Right now, when they click
    that link, the browser dialog appears asking for their username and
    password, and this is confusing some of our users because they have already
    successfully entered their username and password to get to this point.

    What I was looking for was some sort of mechanism whereby our application
    could "transfer" the security token to the front-end exchange server running
    OWA prior to redirecting the user to it thereby eliminating the need for the
    browser to "re-authenticate". I checked out ADFS, and I'm not sure if
    that's the answer - it sounds like it was designed for a whole other
    purpose, and might be considered a tad overkill for this minor
    inconvenience...


    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Joe,
    >
    > you could use NTLM over SSL - and if IE is configured to send credentials
    > automatically - they get SSO - assuming they logged on using cached logon
    > credentials.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> It sounds like he's on the public internet though and might not be
    >> able to take advantage of domain SSO as he might not be using domain
    >> member workstations or might not have access to the KDCs to get
    >> Kerberos tickets from the public internet.
    >>
    >> Otherwise, it would certainly make sense to take advantage of the
    >> built in stuff. Totally agreed there.
    >>
    >> I also wouldn't push someone into ADFS as the first solution, but it
    >> sounded like it might apply. It is not clear to me whether it works
    >> with OWA yet or not either, so that might not even be a solution. I'm
    >> guessing that it could given that other third party SSO solutions like
    >> RSA ClearTrust support OWA.
    >>
    >> Joe K.
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hello Joe,
    >>>
    >>> i am just a little reluctant to jump on that stuff right from the
    >>> start :)
    >>>
    >>> but you agree that what he's trying to reach - access to OWA without
    >>> popping up a password dialog - can also (most probably) be
    >>> accomplished by proper configuration of IIS and IE ??
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com

    >
    >
     
    Dave Slinn, Nov 22, 2005
    #10
  11. Dave Slinn

    [MSFT] Guest

    As I know, there is no suc a way which can pass Windows security token
    from a Form authentication web app to a OWA web application. Even you use
    ""redirect" from the server side, it still like you send a request to OWA
    web from client side directly, and the request need to be authticated.

    Luke
     
    [MSFT], Nov 23, 2005
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    5
    Views:
    5,267
    Patrick.O.Ige
    Sep 19, 2005
  2. Cronus
    Replies:
    1
    Views:
    695
    Paul Mensonides
    Jul 15, 2004
  3. G Fernandes
    Replies:
    1
    Views:
    539
  4. Wessi
    Replies:
    3
    Views:
    880
    Lawrence Kirby
    Aug 11, 2005
  5. =?Utf-8?B?Y2FzaGRlc2ttYWM=?=

    This is an unexpected token. The expected token is 'NAME'

    =?Utf-8?B?Y2FzaGRlc2ttYWM=?=, Jul 13, 2007, in forum: ASP .Net
    Replies:
    2
    Views:
    801
    =?Utf-8?B?Y2FzaGRlc2ttYWM=?=
    Jul 13, 2007
Loading...

Share This Page