Re: Kerberos



Has the user ever visited the SSO page or portal prior to clicking the link etc? IE will continue sending the user's credentials until either:
a) the browser window is closed
or
b) the server sends back 401 (Not Authorized)

So, if the user has ever authenticated to this resource earlier in the session, they would not nee to authenticate again if re-using the same IE process (iexplore.exe)

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"arduk" <arduk@xxxxxxxxxxxxx> wrote in message news:63DCB301-6415-4A6A-8858-9077EDB7688F@xxxxxxxxxxxxxxxx
Hi Ken, thanks very much for your response!

That sounds like it explains the problem, the only question that is left
unanwered is why you are not prompted if you already have a browser open
(point 2 in my original post). If you have any ideas on that, I would love to
hear them.

Thanks again for your prompt and helpful reply!



"Ken Schaefer" wrote:

I think this KB article will answer your question:
http://support.microsoft.com/?id=258063

Basically, IE uses those security zones to work out whether to send
credentials to a server without prompting the user. Additionally, sites that
are netbios style names (i.e. http://servername) are by default, in the
Intranet zone. Check the KB article for more details.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"arduk" <arduk@xxxxxxxxxxxxx> wrote in message
news:874CD6F9-0684-4464-90B3-D05F04FD8E87@xxxxxxxxxxxxxxxx
>I have implemented Single Sign On (SSO) between windows and SAP >Enterprise
> Portal (EP) - so if a user is logged into windows, they can go to our > EP
> site, and EP knows who they are, and applies permissions appropriately.
>
> I have pretty much got this working, however I have run into a couple > of
> things which I can't really explain, and would be interested in hearing
> why
> it might be occurring:
>
> 1. If you open a browser, and then type in the address of the portal, > the
> single sign on works fine
> 2. If you have a browser window open (on any page) and then click a > link
> (eg
> in an email) that takes you to the portal, the SSO works fine
> 3. If you close all of your browser windows, and then click a link (eg > in
> an
> email) that takes you to the portal, then the user is prompted to enter
> their
> username and password (this is a windows style login box). After they > have
> entered their username and password, they are taken straight into the
> portal
> (ie no portal login box)
> 4. If you add the portal site address to either "trusted sites" or > "local
> intranet" (in IE, this is in Tools->Internet Options->, then do point 3
> above, you are not prompted to login. (if you go to the portal address, > it
> comes up as being in the local intranet anyway, so am not sure what > this
> actually achieves)
>
> Point 3 is the issue that I don't understand - why are you prompted to
> login? And what is the difference if you have a browser open or add the
> site
> to "local intranet"?
>
> If anyone could help me out on this it would be greatly appreciated!
>



.



Relevant Pages

  • Re: Kerberos
    ... IE uses those security zones to work out whether to send credentials to a server without prompting the user. ... If you have a browser window open and then click a link (eg ... username and password (this is a windows style login box). ...
    (microsoft.public.inetserver.iis.security)
  • Re: Kerberos
    ... credentials to a server without prompting the user. ... If you open a browser, and then type in the address of the portal, the ... If you have a browser window open and then click a link ... username and password (this is a windows style login box). ...
    (microsoft.public.inetserver.iis.security)
  • Re: Kerberos
    ... the browser window is closed ... credentials to a server without prompting the user. ... If you have a browser window open and then click a ... username and password (this is a windows style login box). ...
    (microsoft.public.inetserver.iis.security)
  • not authenticating when redirected from another page
    ... target page, it first checks to see if the user/browser is authenticated. ... the page I wanted after a successful login. ... authenticate, it sends the login page back again. ... even though I'm using the same browser window. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: [PHP] php sessions
    ... > window and goto the web application, and it asks me to login. ... This is entirely up to the client, deciding to send a cookie or not ... when opening a new browser window. ... The problem is the php script doesn't know that the browser you ...
    (php.general)