Re: Kerberos

Hi Ken - thanks for your reply.

IE thinks that the site is in the Local Intranet zone.

I have done a packet capture, but really wasn't able to glean any
information from it (I confess I don't have many skills/experience in
actually interpreting the packets captured, so I have probably missed
something - I will go over it again)

Thanks again for the suggestions!

"Ken Schaefer" wrote:

You will need to get a packet capture or similar to be 100% sure of what is
happening here. At the same time, verify what security zone IE thinks it is
in.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"arduk" <arduk@xxxxxxxxxxxxx> wrote in message
news:845D76FC-FB7C-471E-BBBE-AB9D8B6CCBB2@xxxxxxxxxxxxxxxx
Sadly it isn't that simple - the user hasn't visited the site - they could
open up a browser straight to google, and then if they click a link in an
email that takes them to the portal, they will not be challenged.


"Ken Schaefer" wrote:

Has the user ever visited the SSO page or portal prior to clicking the
link
etc? IE will continue sending the user's credentials until either:
a) the browser window is closed
or
b) the server sends back 401 (Not Authorized)

So, if the user has ever authenticated to this resource earlier in the
session, they would not nee to authenticate again if re-using the same IE
process (iexplore.exe)

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"arduk" <arduk@xxxxxxxxxxxxx> wrote in message
news:63DCB301-6415-4A6A-8858-9077EDB7688F@xxxxxxxxxxxxxxxx
Hi Ken, thanks very much for your response!

That sounds like it explains the problem, the only question that is
left
unanwered is why you are not prompted if you already have a browser
open
(point 2 in my original post). If you have any ideas on that, I would
love
to
hear them.

Thanks again for your prompt and helpful reply!



"Ken Schaefer" wrote:

I think this KB article will answer your question:
http://support.microsoft.com/?id=258063

Basically, IE uses those security zones to work out whether to send
credentials to a server without prompting the user. Additionally,
sites
that
are netbios style names (i.e. http://servername) are by default, in
the
Intranet zone. Check the KB article for more details.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"arduk" <arduk@xxxxxxxxxxxxx> wrote in message
news:874CD6F9-0684-4464-90B3-D05F04FD8E87@xxxxxxxxxxxxxxxx
I have implemented Single Sign On (SSO) between windows and SAP
Enterprise
Portal (EP) - so if a user is logged into windows, they can go to
our
EP
site, and EP knows who they are, and applies permissions
appropriately.

I have pretty much got this working, however I have run into a
couple
of
things which I can't really explain, and would be interested in
hearing
why
it might be occurring:

1. If you open a browser, and then type in the address of the
portal,
the
single sign on works fine
2. If you have a browser window open (on any page) and then click a
link
(eg
in an email) that takes you to the portal, the SSO works fine
3. If you close all of your browser windows, and then click a link
(eg
in
an
email) that takes you to the portal, then the user is prompted to
enter
their
username and password (this is a windows style login box). After
they
have
entered their username and password, they are taken straight into
the
portal
(ie no portal login box)
4. If you add the portal site address to either "trusted sites" or
"local
intranet" (in IE, this is in Tools->Internet Options->, then do
point 3
above, you are not prompted to login. (if you go to the portal
address,
it
comes up as being in the local intranet anyway, so am not sure what
this
actually achieves)

Point 3 is the issue that I don't understand - why are you prompted
to
login? And what is the difference if you have a browser open or add
the
site
to "local intranet"?

If anyone could help me out on this it would be greatly appreciated!







.

Relevant Pages

  • Re: difference between localhost and `computename`
    ... If you in your browser enter http://10.10.10.10/default.asp and you have ... will send your username and password to the server to identity you. ... this because 10.10.10.10 by default falls into Local Intranet zone ... Intranet zone in my IE and again my browser will know that it has to send my ...
    (microsoft.public.windows.server.networking)
  • Re: IIS and Integrated Windows Authentication
    ... It is in the local intranet ... > Zone your browser will then use IA for when client accesses this site. ... > You can centrally manage IE Zones using group policy and Active Directory. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Potential Bug in explorer view of doc library ?
    ... Using IE 6.0.28 running windows XP. ... Local intranet ... browser version and behaves the same way. ... >> place via windows explorer but my first option for our ...
    (microsoft.public.sharepoint.portalserver)
  • Re: how to avoid challenge window when windows authentication mode is
    ... My iis is set to on for "integration window authentication ". ... everytime users access the site. ... Check the settings of the Local Intranet Zone in IE. ... Internet Options - Security - Local Intranet - Custom Level ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IIS and Integrated Windows Authentication
    ... Integrated Authentication works only for sites that are located in Local ... Intranet zone in IE (if you think logically, ... Zone your browser will then use IA for when client accesses this site. ...
    (microsoft.public.inetserver.iis.security)