Transfer authentication token - how to single sign-on

Discussion in 'ASP .Net Security' started by Dave Slinn, Nov 13, 2005.

  1. Dave Slinn

    Dave Slinn Guest

    We have an ASP.NET app that uses Forms Authentication, but we wrote the
    authentication piece to query Active Directory for credentials approval.
    This is all working fine, but what I would like to do is provide a link from
    from our app to an Outlook Web Access server. When I do this,
    however, the Integrated Windows Authentication of OWA prompts the user for
    their password again. Is there any way to "pass" the approved Windows
    security token from our application to the Exchange server running OWA so
    the user is not prompted for their password if they have already authorized
    themselves to us? (Basically, how do you accomplish single sign-on with a
    Microsoft network... all users will be kept in a Windows 2003 Active
    Directory domain).

    - Thanks, Dave
    Dave Slinn, Nov 13, 2005
    1. Advertisements

  2. Hello Dave,

    first of all - no you cannot do that.

    But why does OWA prompt for credentials?? aren't your users domain users?
    SSO should work out of the box ??!!
    Dominick Baier [DevelopMentor], Nov 13, 2005
    1. Advertisements

  3. Note that with Windows Server R2 and the new single sign on features in the
    Federated Identity system, you might be able to build something like this.
    It would depend on whether the new system supports OWA yet and you were
    willing to use the Federated identity system with your web app instead of
    the ASP.NET forms auth you implemented.

    Note that Dominick is absolutely right here in general.

    Joe K.
    Joe Kaplan \(MVP - ADSI\), Nov 14, 2005
  4. Dave Slinn

    Dave Slinn Guest

    I will investigate the Federated Identity system you indicated.

    The reason OWA prompts for credentials is because the users are hitting this
    server from the Internet. Even though they are domain users, they haven't
    "logged on" to the network.
    Dave Slinn, Nov 15, 2005
  5. Hello Dave,

    the federated ID stuff is not even released...

    If the OWA server uses Intergrated Auth - and you configure IE to send credentials
    automatically to the OWA site, you will not get the password dialog.
    Dominick Baier [DevelopMentor], Nov 15, 2005
  6. It is definitely true that the federated stuff is not released yet, but R2
    will likely ship before he even has time to get a test setup working. It is
    not very far off at this point.

    If it makes sense for his deployment, I think it is definitely worth looking

    Joe K.
    Joe Kaplan \(MVP - ADSI\), Nov 15, 2005
  7. Hello Joe,

    i am just a little reluctant to jump on that stuff right from the start :)

    but you agree that what he's trying to reach - access to OWA without popping
    up a password dialog - can also (most probably) be accomplished by proper
    configuration of IIS and IE ??
    Dominick Baier [DevelopMentor], Nov 15, 2005
  8. It sounds like he's on the public internet though and might not be able to
    take advantage of domain SSO as he might not be using domain member
    workstations or might not have access to the KDCs to get Kerberos tickets
    from the public internet.

    Otherwise, it would certainly make sense to take advantage of the built in
    stuff. Totally agreed there.

    I also wouldn't push someone into ADFS as the first solution, but it sounded
    like it might apply. It is not clear to me whether it works with OWA yet or
    not either, so that might not even be a solution. I'm guessing that it
    could given that other third party SSO solutions like RSA ClearTrust support

    Joe K.
    Joe Kaplan \(MVP - ADSI\), Nov 15, 2005
  9. Hello Joe,

    you could use NTLM over SSL - and if IE is configured to send credentials
    automatically - they get SSO - assuming they logged on using cached logon
    Dominick Baier [DevelopMentor], Nov 15, 2005
  10. Dave Slinn

    Dave Slinn Guest

    Hey guys - I totally appreciate all the help and the discussion regarding my
    issue. Joe's right - the users hitting the site are not necessarily running
    on PCs that are members of our domain. For all I know, they could be at
    some internet cafe in japan, so i have no control over the browser, let
    alone the settings of it.

    All I know for sure, is that they have authenticated themselves with our
    ASP.NET application, and we have authorized them access to a page that
    contains a link to their Outlook Web Access email (running on a different
    port on a different server behind our firewall). Right now, when they click
    that link, the browser dialog appears asking for their username and
    password, and this is confusing some of our users because they have already
    successfully entered their username and password to get to this point.

    What I was looking for was some sort of mechanism whereby our application
    could "transfer" the security token to the front-end exchange server running
    OWA prior to redirecting the user to it thereby eliminating the need for the
    browser to "re-authenticate". I checked out ADFS, and I'm not sure if
    that's the answer - it sounds like it was designed for a whole other
    purpose, and might be considered a tad overkill for this minor
    Dave Slinn, Nov 22, 2005
  11. Dave Slinn

    [MSFT] Guest

    As I know, there is no suc a way which can pass Windows security token
    from a Form authentication web app to a OWA web application. Even you use
    ""redirect" from the server side, it still like you send a request to OWA
    web from client side directly, and the request need to be authticated.

    [MSFT], Nov 23, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.