Re: Single Sign-On for a group of IIS 5.1 websites
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 09/25/05
- Next message: ÀÌÀç¿ø: "Å×½ºÆ®"
- Previous message: Jeff Cochran: "Re: Can I rename a IIS6 Web server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 25 Sep 2005 14:44:38 -0700
Basically, you achieve SSO behavior by either:
1. Client-side SSO: Web browser auto-logins to various websites using same
credential (hard because this is non-standard behavior)
2. Server-side SSO: Use authentication protocol and server configuration
that supports SSO
Your current authentication protocol and server configuration does not
support SSO. You have two choices:
1. You can fake it by writing code on the server to implement "SSO-like
behavior", but it is really not going to be secure since you are using Basic
Authentication, which implicitly delegates user credentials to the server
(I'm not even talking about the plain-text password that is encrypted with
SSL -- I'm talking about the fact that the server has your user credentials
and can do stuff with them that you do not authorize, such as withdraw money
from your bank account).
2. Use open, standards-based support for SSO, like Kerberos+Active Directory
which take care of a lot of other security issues you haven't even thought
of.
In short, SSO cannot happen unless the servers trust each other, and that
happens either with Windows Domain + Kerberos, or you write your own custom
version of Domain+Kerberos to establish the "trust" ad-hoc, but your version
will most likely have shortcuts and security vulnerabilities that you do not
know about.
Here are some blog entries that explain what is going on:
http://blogs.msdn.com/david.wang/archive/2005/07/06/SSO_ISAPI_Considerations_2.aspx
http://blogs.msdn.com/david.wang/archive/2005/08/29/HOWTO_Protect_non_dotNET_content.aspx
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Nicholas Wang" <wang740@nospam.nospam> wrote in message news:7C8D68EC-9C73-4287-AACA-E78218EB4D45@microsoft.com... Hi, i have a group of websites written in asp and hosted using IIS5.1 in Windows 2000 server. These websites are all set as "Basic Authentication", all the users are NT domain users. The problem is that user have to type in their domain userid/password several times in order to access all the information from all the websites. The question is that beside let the user add all the websites into trust websites, is there a way to let these sites trust each other? When user logs in to any of the website, it will automatically log into the rest sites as well? Thanks
- Next message: ÀÌÀç¿ø: "Å×½ºÆ®"
- Previous message: Jeff Cochran: "Re: Can I rename a IIS6 Web server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
