Re: Transfer authentication token - how to single sign-on
From: Dave Slinn (CougarDave_at_noemail.noemail)
Date: 11/22/05
- Previous message: Brock Allen: "Re: Default Authentication Ticket Expiration"
- In reply to: Dominick Baier [DevelopMentor]: "Re: Transfer authentication token - how to single sign-on"
- Next in thread: [MSFT]: "Re: Transfer authentication token - how to single sign-on"
- Reply: [MSFT]: "Re: Transfer authentication token - how to single sign-on"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 21 Nov 2005 21:16:12 -0600
Hey guys - I totally appreciate all the help and the discussion regarding my
issue. Joe's right - the users hitting the site are not necessarily running
on PCs that are members of our domain. For all I know, they could be at
some internet cafe in japan, so i have no control over the browser, let
alone the settings of it.
All I know for sure, is that they have authenticated themselves with our
ASP.NET application, and we have authorized them access to a page that
contains a link to their Outlook Web Access email (running on a different
port on a different server behind our firewall). Right now, when they click
that link, the browser dialog appears asking for their username and
password, and this is confusing some of our users because they have already
successfully entered their username and password to get to this point.
What I was looking for was some sort of mechanism whereby our application
could "transfer" the security token to the front-end exchange server running
OWA prior to redirecting the user to it thereby eliminating the need for the
browser to "re-authenticate". I checked out ADFS, and I'm not sure if
that's the answer - it sounds like it was designed for a whole other
purpose, and might be considered a tad overkill for this minor
inconvenience...
"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:4580be6313cc618c7b85d4178a912@news.microsoft.com...
> Hello Joe,
>
> you could use NTLM over SSL - and if IE is configured to send credentials
> automatically - they get SSO - assuming they logged on using cached logon
> credentials.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> It sounds like he's on the public internet though and might not be
>> able to take advantage of domain SSO as he might not be using domain
>> member workstations or might not have access to the KDCs to get
>> Kerberos tickets from the public internet.
>>
>> Otherwise, it would certainly make sense to take advantage of the
>> built in stuff. Totally agreed there.
>>
>> I also wouldn't push someone into ADFS as the first solution, but it
>> sounded like it might apply. It is not clear to me whether it works
>> with OWA yet or not either, so that might not even be a solution. I'm
>> guessing that it could given that other third party SSO solutions like
>> RSA ClearTrust support OWA.
>>
>> Joe K.
>>
>> "Dominick Baier [DevelopMentor]"
>> <dbaier@pleasepleasenospamdevelop.com> wrote in message
>> news:4580be6313c73a8c7b8413f80a0cd@news.microsoft.com...
>>
>>> Hello Joe,
>>>
>>> i am just a little reluctant to jump on that stuff right from the
>>> start :)
>>>
>>> but you agree that what he's trying to reach - access to OWA without
>>> popping up a password dialog - can also (most probably) be
>>> accomplished by proper configuration of IIS and IE ??
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>
>
- Previous message: Brock Allen: "Re: Default Authentication Ticket Expiration"
- In reply to: Dominick Baier [DevelopMentor]: "Re: Transfer authentication token - how to single sign-on"
- Next in thread: [MSFT]: "Re: Transfer authentication token - how to single sign-on"
- Reply: [MSFT]: "Re: Transfer authentication token - how to single sign-on"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
