Web Single Sign On



My network environment consists of a domain with active directory(Win 2003
Server). My web application sits on IIS located outside the domain. The web
application is accessible through port 80 and without single sign on,
requires user to enter username/password to gain access to the web
application contents. A common identity has been constructed and stored in
LDAP (open ldap- port 389 is open) located inside the domain. This common
identity is the user's username used to logon to the domain/active

To achieve single sign on, it is expected that when a user logons to the
domain/active directory, he/she could access the web application (which sits
on IIS outside the domain) without having to go through the logon process
again. That means the user's credential (username) must be send over to the
IIS which will use it to authenticate against LDAP sitting inside the
domain. If the user is authenticated, the logon page will be by passed
allowing user a direct access to the web application content.

My question:

1. How can this be achieved ? How does the browser know that it has to send
the user's credential (username) to the IIS ?

2. Where and how does the browser get the user's credential (username in
this case) since no logon page will be prompted to the user to logon the web
application ?




Joe Kaplan

You can't do this. The way integrated Windows auth (IWA) works is that your
IIS site is configured to require IWA and sends a 401.1 response to the
browser with an instruction to authenticate via IWA (a www-authenticate
header with "negotiate" and/or "NTLM" in the header).

The browser then sees this and knows that it is allowed to send its current
Windows credentials to the server, so it does. If the server can
authenticate these credentials, then it will and will return the content the
user requested originally.

Since your server isn't in the domain, it won't understand the user's

The browser won't have any way to know to send a different set of
credentials that the server might understand, so that won't happen either.

There are other types of SSO systems available like ADFS that integrate with
IWA auth and can provide SSO like this, but ADFS doesn't do anything with
Open LDAP. There may be some other SSO products out there that do...

Joe K.

Joe Kaplan

I'm not very familiar with the capabilities of ISA, so I'd suggest you ask
someone else about that (perhaps an ISA group?).

Joe K.


Thanks for the information. Can Microsoft ISA Server solve such issues ?


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question