IIS/AD – Implementing single sign-on between two websites

active-directoryauthenticationhttp-basic-authenticationiis-6single-sign-on

I have two websites. One is an "intranet," one is a public site that has "admin" areas:

www.example-intranet.com
www.example.com

They are both running on the same IIS 6 box.

www.example-intranet.com is password protected. That is, in IIS I've removed "anonymous access," I've checked "Basic authentication" and I've put in our AD server for the "Default domain." This part works fine.

Now, I want to do the same for www.example.com/admin. I thought I could follow the same steps (remove "anonymous access," add "basic authentication," and add the "default domain." However, users are being forced to log in twice (once for the intranet site, and then again when they go to www.example.com/admin.

It seems like the two sites are not "sharing" the login. How do I get this to work?

Best Answer

You should try using "integrated windows authentication" instead of "basic authentication". This is by no means a full single sign-on solution, but in this case, being the two sites on the same server, it should work for you.

Related Solutions

Google Chrome – Passthrough Windows Authentication

This has been included in the stable release of Chrome 5.x as of May 2010. It works similar to Internet Explorer in that "Intranet" URLs (without dots in the address) will attempt single sign-on if requested by the server.

To enable passthrough for other domains, you need to run Chrome with an extra command line parameter:

chrome.exe --auth-server-whitelist="*example.com,*foobar.com,*baz"

Background

According to the Google Issues list for Chromium, this issue was reported in Sep 2008. The NTLM passthrough feature was apparently given to the Google Summer of Code team. It sounds like it will be worked on in Summer 2009 at the Google Summer of Code.

This is good news, and will hopefully bring some stature to Chrome's image in the enterprise. The intranet is so prevalent, and to adopt a browser is difficult without having this feature.

Basic authentication with domain accounts on Windows Server 2008

Troubleshooting permissions problems can be a challenge but at the end of the day here's what I think:

The users are able to access the directories regardless of their membership in the groups you've created because the users are members of the local users group, which has access to the directories. For the most part, permissions are cumulative and the least restrictive permissions apply except in cases of explicitly defined permissions (Allow or Deny). In order to achieve your desired restrictions you have two choices:

Do what you've already done and define an explicit Deny on the directories to the groups that you don't want to have access.
Remove permissions inheritance from the directories, remove the local users group from the permissions on the directories and define an explicit Allow on the directories to the groups that you do want to have access.

Best Answer

Related Solutions

Google Chrome – Passthrough Windows Authentication

Basic authentication with domain accounts on Windows Server 2008

Related Topic