Link to home
Start Free TrialLog in
Avatar of Robberbaron (robr)
Robberbaron (robr)Flag for Australia

asked on

Avoid second login request IIS7

I have an IIS server on Win2008R2 behind a router, setup to accept remote and intranet access including Outlook Web Access (OWA)

All works fine and an authentication prompt occurs upon first access from browser. (both http and https)
 This then displays a basic menu page (default website port 80/443) with links to other websites/Applications hosted on the same IIS server on different ports. Some are in different AppPools but all use same integrated pipeline mode and Identity.

But attempting to open the linked site throws another Login request. Enter the same credentials and the site opens correctly. Including OWA.  
"Windows Authentication" is the only type enabled for the relevant sites in IIS.  Providers are NTLM and Negotiate, in that order for all sites.

not a big deal from a browser with keyboard but users are complaining when using tablet or phone browsers due to typing requirement.

'Default Website' is in DefaultAppPool   http:80 /  https:443
'Content' is in ASP.NET v4 Default,  https:  *.4438  

both https certificates are the same GoDaddy  valid till 2016

Any hints to try ?  cant do anything too fancy in testing  as all sites live and working...
Avatar of arnold
arnold
Flag of United States of America image

Credential prompts occur when site boundaries are crossed. I.e. Virtual directories will each prompt for credentials.
Http is not https.

You seem to be using the http authentication method which only works down the path I.e. Http://somesite.com/home/base/destination as long as none of them are virtual.

One option is to allow anonymous access to http that will automatically redirect to https thus having a single sign on that is secured by way of encryption/certificate.
Avatar of Robberbaron (robr)

ASKER

ok. now i know what to look for,  investigation shows that the first access is to HTTP , which is secured by password. not sure how the prompt triggers??

first page is at  http://remote.mysite.com   (real address hidden to protect the guilty). https://remote.mysite.com redirects to this after login, opposite to your suggestion.

all menu items that are http links AND sub pages of first one eg http://remote.mysite.com/way works without a prompt as you indicated.

any others such as http://mail.mysite.com/owa or  https://remote.mysite.com:4438/jobprocess/   requires second prompt.

can you explain a little more what is required to implement your suggested methodology ?
You can setup a site that responds to http://remote.mysite.com that has no content where instead of indicating where the files are, you would set a URL redirection that will point to https://remote.mysite.com with security settings.

The likely issue is on the security setting where you likely have anonymous access unchecked (default iusr account is not set for the site)

As long as you use IIS http authentication and apps that you do not control, credential prompts can not be reduced.

If you have your own managed/written site, building authentication into you app will mean you will control access and rights and can have a single sign on through use of cookies, database, and session cookies.
thanks slowly making sense.
1. I have implemented the primary menu site as https with ssl required to test. Only winAuth is accepted. Credential prompt fires as expected. direct descendent pages that are https laod as desired. (but not http links but that can be changed)

2. I can understand the OWA will not accept this credential as it is set as Forms Based auth entication i believe. users wil just have to live with it.

3. The current https://remote.mysite.com:4438/jobprocess/ is of our making and uses WinAuth only as well. It is our intranet site using http with host header, but has been set up to access via port# as well.
 But how do we change it to access the cookie or whatever authentication is provided for the primary 'menu site'
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Discusses the authentication options.
http://technet.microsoft.com/en-us/library/cc753252(v=ws.10).aspx

This option covers the possibility for single signon.
will see if i can change the internal website to forms based.