Re: Kerberos
- From: arduk <arduk@xxxxxxxxxxxxx>
- Date: Tue, 20 Nov 2007 15:27:00 -0800
Sadly it isn't that simple - the user hasn't visited the site - they could
open up a browser straight to google, and then if they click a link in an
email that takes them to the portal, they will not be challenged.
"Ken Schaefer" wrote:
Has the user ever visited the SSO page or portal prior to clicking the link.
etc? IE will continue sending the user's credentials until either:
a) the browser window is closed
or
b) the server sends back 401 (Not Authorized)
So, if the user has ever authenticated to this resource earlier in the
session, they would not nee to authenticate again if re-using the same IE
process (iexplore.exe)
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
"arduk" <arduk@xxxxxxxxxxxxx> wrote in message
news:63DCB301-6415-4A6A-8858-9077EDB7688F@xxxxxxxxxxxxxxxx
Hi Ken, thanks very much for your response!
That sounds like it explains the problem, the only question that is left
unanwered is why you are not prompted if you already have a browser open
(point 2 in my original post). If you have any ideas on that, I would love
to
hear them.
Thanks again for your prompt and helpful reply!
"Ken Schaefer" wrote:
I think this KB article will answer your question:
http://support.microsoft.com/?id=258063
Basically, IE uses those security zones to work out whether to send
credentials to a server without prompting the user. Additionally, sites
that
are netbios style names (i.e. http://servername) are by default, in the
Intranet zone. Check the KB article for more details.
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
"arduk" <arduk@xxxxxxxxxxxxx> wrote in message
news:874CD6F9-0684-4464-90B3-D05F04FD8E87@xxxxxxxxxxxxxxxx
I have implemented Single Sign On (SSO) between windows and SAP
Enterprise
Portal (EP) - so if a user is logged into windows, they can go to our
EP
site, and EP knows who they are, and applies permissions appropriately.
I have pretty much got this working, however I have run into a couple
of
things which I can't really explain, and would be interested in hearing
why
it might be occurring:
1. If you open a browser, and then type in the address of the portal,
the
single sign on works fine
2. If you have a browser window open (on any page) and then click a
link
(eg
in an email) that takes you to the portal, the SSO works fine
3. If you close all of your browser windows, and then click a link (eg
in
an
email) that takes you to the portal, then the user is prompted to enter
their
username and password (this is a windows style login box). After they
have
entered their username and password, they are taken straight into the
portal
(ie no portal login box)
4. If you add the portal site address to either "trusted sites" or
"local
intranet" (in IE, this is in Tools->Internet Options->, then do point 3
above, you are not prompted to login. (if you go to the portal address,
it
comes up as being in the local intranet anyway, so am not sure what
this
actually achieves)
Point 3 is the issue that I don't understand - why are you prompted to
login? And what is the difference if you have a browser open or add the
site
to "local intranet"?
If anyone could help me out on this it would be greatly appreciated!
- Follow-Ups:
- Re: Kerberos
- From: Ken Schaefer
- Re: Kerberos
- References:
- Re: Kerberos
- From: Ken Schaefer
- Re: Kerberos
- From: arduk
- Re: Kerberos
- From: Ken Schaefer
- Re: Kerberos
- Prev by Date: Re: Kerberos
- Next by Date: Re: Kerberos
- Previous by thread: Re: Kerberos
- Next by thread: Re: Kerberos
- Index(es):
Relevant Pages
|
