Re: Single SignOn and Integrated Windows Authentication

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 07/25/05

• Next message: GregP: "Re: Writing to a Virtual Directory"
• Previous message: laxmikanth: "Single SignOn and Integrated Windows Authentication"
• In reply to: laxmikanth: "Single SignOn and Integrated Windows Authentication"
• Next in thread: laxmikanth: "Re: Single SignOn and Integrated Windows Authentication"
• Reply: laxmikanth: "Re: Single SignOn and Integrated Windows Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 25 Jul 2005 14:18:32 -0700

http://blogs.msdn.com/david.wang/archive/2005/07/06/SSO_ISAPI_Considerations_2.aspx

In the terminology of the blog entry -- you basically want a trusted
translator of the pre-authenticated tickets in one fiefdom into NT user
tokens in your ASP web application's fiefdom. The translator is the border
guard on the ASP web application's side of the fence.

Since Integrated authentication is secured against such a security attack,
this is not practically possible.

I suggest Kerberos because it is a widely used standard that IIS/Windows
already supports through Integrate authentication. Otherwise, you will have
to write your own authentication protocol or use someone else's custom
authentication protocol for SSO.

Trying to integrate multiple authentication protocols to achieve SSO is not
secure, by definition.

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"laxmikanth" <alkreddy@hotmail.com> wrote in message
news:eH0nTTVkFHA.3144@TK2MSFTNGP12.phx.gbl...
Hello,
We have an ASP based web application running on IIS5.0 that relies on
Integrated Windows Authentication for Authentication. This essentially means
we do not have an user management of our own in the application. However, we
have simple role based authorization module based on User identity (or
windows USERID).
We are now looking at options to implement Single SingleOn for this
application and we want to accomplish this with minimal or no changes to the
applciation. Within the SSO framework, this app should be in a position to
accept pre-authenticated tickets from external providers and bypass IIS
authentication requirments.
Is this practically posible? Did someone addresss similar requirements in
the past? What would be a good place for me to start in terms of reading the
relevant literature?
Any help would be greatly appreciated.
thanks,

---

• Next message: GregP: "Re: Writing to a Virtual Directory"
• Previous message: laxmikanth: "Single SignOn and Integrated Windows Authentication"
• In reply to: laxmikanth: "Single SignOn and Integrated Windows Authentication"
• Next in thread: laxmikanth: "Re: Single SignOn and Integrated Windows Authentication"
• Reply: laxmikanth: "Re: Single SignOn and Integrated Windows Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.inetserver.iis.security  > 2005-07