Re: IIS 6.0: Windows authentication across virtual servers

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 02/21/04 

Date: Fri, 20 Feb 2004 20:32:26 -0800

No, you're assuming many things about HTTP and authentication that are
untrue.
- HTTP is a stateless protocol (i.e. I make two requests for the same
resource -- the server will return the same response back, absent any
state).
- Authentication is state (distinction between having authenticated or not)
- State with one website has no automatic relevance to any other server even
if links traverse between them. For example, suppose one server hosts
website yyy.com and zzz.com. What does authenticating to yyy.com imply
ANYTHING to the browser about access to zzz.com? Absolutely Nothing. It
doesn't matter that yyy.com linked to zzz.com because HTTP is stateless.
- Passport and "Single Sign On" solutions usually are a variety of hacks to
pass state in the form of "cookies", where one website issues the cookie as
proof of "login" to the browser, and thereafter, the browser presents this
cookie to all other websites who accept such cookies.
- Integrated Authentication uses TCP Connection as state, so an IE that does
not pre-authenticate but does close connections between two websites will
always require a login.

In your case, you are completely depending on IE "pre-authenticating" for
you, so what are example URLs for accessing your WSS and ASP.Net websites...
because it affects whether IE will "pre-authenticate" for you or not. 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Michael Barrett" <mbiwj001@sneakemail.com> wrote in message
news:O79K3ks9DHA.2432@TK2MSFTNGP10.phx.gbl...
Thanks for the answer. Please see my response below.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:ez5mdWs9DHA.3648@TK2MSFTNGP11.phx.gbl...
> If you're using Integrated authentication and both servers and users are
> in
> the same (or cross-trusted) domain, there shouldn't be any dialog box as
> IE
> will take care of the auto-logon (unless configured to not do it).
That is what I initially thought too... But apparently it does not work with
our applications.
>
> There is a big difference between IE auto-login and "Pass-thru"
> authentication.  The former is pretty implicit since you directly control
> the browser to give authentication. The latter requires the concept of
> "delegation" where you, the user, must delegate to the website (controlled
> by someone else) the ability to act as YOU (and not the website) while
> accessing another website.  Delegation is a pretty trusted operation.
Well... When I used the term "pass-thru", I guess I did not know exactly
what it meant ;-)
> So, I'm confused by your terminoligy of "Virtual Server" -- are you
> talking
> about two websites on two different physical servers, or just two
> different
> websites one one physical server.
I should have been more precise on this. I am talking about two different
websites on the same physical server (running Windows Server 2003 as a
domain controller).
>
> WSS and ASP.Net both have custom authentication solutions, and I think
> that
> they are not compatible with each other, so you want to make sure you're
> not
> in that case, too.
>
My thought was that if a user was authenticated on WSS (using IWA), he/she
would not have to enter username and password again when accessing another
website (on the same physical server), which also uses IWA... Does this
sound reasonable or have I overlooked something?
--
Michael Barrett

Relevant Pages

  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... By this, I mean, usually, on the basic logon screen of a server, I see ... >;) under the website in question, enabling only Basic authentication. ... > - When testing with IE or FrontPage local to the webserver for a baseline ... From a website perspective, I ...
    (microsoft.public.inetserver.iis.security)
  • RE: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... ;) under the website in question, enabling only Basic authentication. ... IE (and FrontPage too, if I am not mistaken) will interperate the ... lets configure the server extensions on this VDIR....select the ... From a website perspective, I ...
    (microsoft.public.inetserver.iis.security)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... SYSTEM account. ... In IIS I took the virtual server that I was testing, ... Authentication premise. ... From a website perspective, I ...
    (microsoft.public.inetserver.iis.security)
  • Re: Security and Outlook over HTTP
    ... authentication on the server. ... Configure the computer for RPC over HTTP ... In the Microsoft Exchange Server box, type the local name of the Exchange ...
    (microsoft.public.windows.server.sbs)
  • Re: Security and Outlook over HTTP
    ... authentication on the server. ... Configure the computer for RPC over HTTP ... In the Microsoft Exchange Server box, type the local name of the ...
    (microsoft.public.windows.server.sbs)