Transfer authentication token - how to single sign-on


D

Dave Slinn

We have an ASP.NET app that uses Forms Authentication, but we wrote the
authentication piece to query Active Directory for credentials approval.
This is all working fine, but what I would like to do is provide a link from
from our asp.net app to an Outlook Web Access server. When I do this,
however, the Integrated Windows Authentication of OWA prompts the user for
their password again. Is there any way to "pass" the approved Windows
security token from our application to the Exchange server running OWA so
the user is not prompted for their password if they have already authorized
themselves to us? (Basically, how do you accomplish single sign-on with a
Microsoft network... all users will be kept in a Windows 2003 Active
Directory domain).

- Thanks, Dave
 
Ad

Advertisements

D

Dominick Baier [DevelopMentor]

Hello Dave,

first of all - no you cannot do that.

But why does OWA prompt for credentials?? aren't your users domain users?
SSO should work out of the box ??!!
 
J

Joe Kaplan \(MVP - ADSI\)

Note that with Windows Server R2 and the new single sign on features in the
Federated Identity system, you might be able to build something like this.
It would depend on whether the new system supports OWA yet and you were
willing to use the Federated identity system with your web app instead of
the ASP.NET forms auth you implemented.

Note that Dominick is absolutely right here in general.

Joe K.
 
D

Dave Slinn

I will investigate the Federated Identity system you indicated.

The reason OWA prompts for credentials is because the users are hitting this
server from the Internet. Even though they are domain users, they haven't
"logged on" to the network.
 
D

Dominick Baier [DevelopMentor]

Hello Dave,

the federated ID stuff is not even released...

If the OWA server uses Intergrated Auth - and you configure IE to send credentials
automatically to the OWA site, you will not get the password dialog.
 
J

Joe Kaplan \(MVP - ADSI\)

It is definitely true that the federated stuff is not released yet, but R2
will likely ship before he even has time to get a test setup working. It is
not very far off at this point.

If it makes sense for his deployment, I think it is definitely worth looking
at.

Joe K.
 
Ad

Advertisements

D

Dominick Baier [DevelopMentor]

Hello Joe,

i am just a little reluctant to jump on that stuff right from the start :)

but you agree that what he's trying to reach - access to OWA without popping
up a password dialog - can also (most probably) be accomplished by proper
configuration of IIS and IE ??
 
J

Joe Kaplan \(MVP - ADSI\)

It sounds like he's on the public internet though and might not be able to
take advantage of domain SSO as he might not be using domain member
workstations or might not have access to the KDCs to get Kerberos tickets
from the public internet.

Otherwise, it would certainly make sense to take advantage of the built in
stuff. Totally agreed there.

I also wouldn't push someone into ADFS as the first solution, but it sounded
like it might apply. It is not clear to me whether it works with OWA yet or
not either, so that might not even be a solution. I'm guessing that it
could given that other third party SSO solutions like RSA ClearTrust support
OWA.

Joe K.
 
D

Dominick Baier [DevelopMentor]

Hello Joe,

you could use NTLM over SSL - and if IE is configured to send credentials
automatically - they get SSO - assuming they logged on using cached logon
credentials.
 
D

Dave Slinn

Hey guys - I totally appreciate all the help and the discussion regarding my
issue. Joe's right - the users hitting the site are not necessarily running
on PCs that are members of our domain. For all I know, they could be at
some internet cafe in japan, so i have no control over the browser, let
alone the settings of it.

All I know for sure, is that they have authenticated themselves with our
ASP.NET application, and we have authorized them access to a page that
contains a link to their Outlook Web Access email (running on a different
port on a different server behind our firewall). Right now, when they click
that link, the browser dialog appears asking for their username and
password, and this is confusing some of our users because they have already
successfully entered their username and password to get to this point.

What I was looking for was some sort of mechanism whereby our application
could "transfer" the security token to the front-end exchange server running
OWA prior to redirecting the user to it thereby eliminating the need for the
browser to "re-authenticate". I checked out ADFS, and I'm not sure if
that's the answer - it sounds like it was designed for a whole other
purpose, and might be considered a tad overkill for this minor
inconvenience...
 
Ad

Advertisements

M

[MSFT]

As I know, there is no suc a way which can pass Windows security token
from a Form authentication web app to a OWA web application. Even you use
""redirect" from the server side, it still like you send a request to OWA
web from client side directly, and the request need to be authticated.

Luke
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top