Re: Kerberos

---

• From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 21 Nov 2007 12:36:28 +1100

---

You will need to get a packet capture or similar to be 100% sure of what is happening here. At the same time, verify what security zone IE thinks it is in.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"arduk" <arduk@xxxxxxxxxxxxx> wrote in message news:845D76FC-FB7C-471E-BBBE-AB9D8B6CCBB2@xxxxxxxxxxxxxxxx

Sadly it isn't that simple - the user hasn't visited the site - they could
open up a browser straight to google, and then if they click a link in an
email that takes them to the portal, they will not be challenged.


"Ken Schaefer" wrote:

Has the user ever visited the SSO page or portal prior to clicking the link
etc? IE will continue sending the user's credentials until either:
a) the browser window is closed
or
b) the server sends back 401 (Not Authorized)

So, if the user has ever authenticated to this resource earlier in the
session, they would not nee to authenticate again if re-using the same IE
process (iexplore.exe)

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"arduk" <arduk@xxxxxxxxxxxxx> wrote in message
news:63DCB301-6415-4A6A-8858-9077EDB7688F@xxxxxxxxxxxxxxxx
> Hi Ken, thanks very much for your response!
>
> That sounds like it explains the problem, the only question that is > left
> unanwered is why you are not prompted if you already have a browser > open
> (point 2 in my original post). If you have any ideas on that, I would > love
> to
> hear them.
>
> Thanks again for your prompt and helpful reply!
>
>
>
> "Ken Schaefer" wrote:
>
>> I think this KB article will answer your question:
>> http://support.microsoft.com/?id=258063
>>
>> Basically, IE uses those security zones to work out whether to send
>> credentials to a server without prompting the user. Additionally, >> sites
>> that
>> are netbios style names (i.e. http://servername) are by default, in >> the
>> Intranet zone. Check the KB article for more details.
>>
>> Cheers
>> Ken
>>
>> -- >> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>>
>> "arduk" <arduk@xxxxxxxxxxxxx> wrote in message
>> news:874CD6F9-0684-4464-90B3-D05F04FD8E87@xxxxxxxxxxxxxxxx
>> >I have implemented Single Sign On (SSO) between windows and SAP
>> >Enterprise
>> > Portal (EP) - so if a user is logged into windows, they can go to >> > our
>> > EP
>> > site, and EP knows who they are, and applies permissions >> > appropriately.
>> >
>> > I have pretty much got this working, however I have run into a >> > couple
>> > of
>> > things which I can't really explain, and would be interested in >> > hearing
>> > why
>> > it might be occurring:
>> >
>> > 1. If you open a browser, and then type in the address of the >> > portal,
>> > the
>> > single sign on works fine
>> > 2. If you have a browser window open (on any page) and then click a
>> > link
>> > (eg
>> > in an email) that takes you to the portal, the SSO works fine
>> > 3. If you close all of your browser windows, and then click a link >> > (eg
>> > in
>> > an
>> > email) that takes you to the portal, then the user is prompted to >> > enter
>> > their
>> > username and password (this is a windows style login box). After >> > they
>> > have
>> > entered their username and password, they are taken straight into >> > the
>> > portal
>> > (ie no portal login box)
>> > 4. If you add the portal site address to either "trusted sites" or
>> > "local
>> > intranet" (in IE, this is in Tools->Internet Options->, then do >> > point 3
>> > above, you are not prompted to login. (if you go to the portal >> > address,
>> > it
>> > comes up as being in the local intranet anyway, so am not sure what
>> > this
>> > actually achieves)
>> >
>> > Point 3 is the issue that I don't understand - why are you prompted >> > to
>> > login? And what is the difference if you have a browser open or add >> > the
>> > site
>> > to "local intranet"?
>> >
>> > If anyone could help me out on this it would be greatly appreciated!
>> >
>>
>>

.

---

• Follow-Ups:
  • Re: Kerberos
    • From: arduk

• References:
  • Re: Kerberos
    • From: Ken Schaefer
  • Re: Kerberos
    • From: arduk
  • Re: Kerberos
    • From: Ken Schaefer
  • Re: Kerberos
    • From: arduk

• Prev by Date: Re: Kerberos
• Next by Date: Re: Kerberos
• Previous by thread: Re: Kerberos
• Next by thread: Re: Kerberos
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: IIS basic authentication login prompt - 3 attempts ... > IIS raises login dialog box prompt on browser for ... That login ... > prompt gives user 3 attempts to enter correct ... IIS throw 401.1 error if third attempt ... (microsoft.public.inetserver.asp.general) Re: Cannot connect to OWA ... regardless of the browser. ... you for a login. ... (microsoft.public.exchange.connectivity) Re: Cannot connect to OWA ... regardless of the browser. ... It doesn't prompt ... you for a login. ... (microsoft.public.exchange.connectivity) Re: Javascript ... necessary a JavaScript to open de window in this mesure) and inside the ... the browser window), because Outlook Mac users can not do that due to ... > executing Javascripts then the answer is "Depends on the security zone ... > Restricted Sites security zone yourself by looking in the Internet ... (microsoft.public.outlook.general) Re: ASP and NTFS ... then the browser needs to send the appropriate credentials in ... >If the browsers are Internet Explorer, and the user places the site into ... >Internet Explorer May Prompt You for a Password ... >> be able to redirect with the user name and password they already ... (microsoft.public.inetserver.iis.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)