Solved

Avoid second login request IIS7

Posted on 2014-04-15
7
332 Views
Last Modified: 2014-04-20
I have an IIS server on Win2008R2 behind a router, setup to accept remote and intranet access including Outlook Web Access (OWA)

All works fine and an authentication prompt occurs upon first access from browser. (both http and https)
 This then displays a basic menu page (default website port 80/443) with links to other websites/Applications hosted on the same IIS server on different ports. Some are in different AppPools but all use same integrated pipeline mode and Identity.

But attempting to open the linked site throws another Login request. Enter the same credentials and the site opens correctly. Including OWA.  
"Windows Authentication" is the only type enabled for the relevant sites in IIS.  Providers are NTLM and Negotiate, in that order for all sites.

not a big deal from a browser with keyboard but users are complaining when using tablet or phone browsers due to typing requirement.

'Default Website' is in DefaultAppPool   http:80 /  https:443
'Content' is in ASP.NET v4 Default,  https:  *.4438  

both https certificates are the same GoDaddy  valid till 2016

Any hints to try ?  cant do anything too fancy in testing  as all sites live and working...
0
Comment
Question by:Robberbaron (robr)
  • 4
  • 3
7 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 40003060
Credential prompts occur when site boundaries are crossed. I.e. Virtual directories will each prompt for credentials.
Http is not https.

You seem to be using the http authentication method which only works down the path I.e. Http://somesite.com/home/base/destination as long as none of them are virtual.

One option is to allow anonymous access to http that will automatically redirect to https thus having a single sign on that is secured by way of encryption/certificate.
0
 
LVL 32

Author Comment

by:Robberbaron (robr)
ID: 40003358
ok. now i know what to look for,  investigation shows that the first access is to HTTP , which is secured by password. not sure how the prompt triggers??

first page is at  http://remote.mysite.com   (real address hidden to protect the guilty). https://remote.mysite.com redirects to this after login, opposite to your suggestion.

all menu items that are http links AND sub pages of first one eg http://remote.mysite.com/way works without a prompt as you indicated.

any others such as http://mail.mysite.com/owa or  https://remote.mysite.com:4438/jobprocess/   requires second prompt.

can you explain a little more what is required to implement your suggested methodology ?
0
 
LVL 76

Expert Comment

by:arnold
ID: 40003843
You can setup a site that responds to http://remote.mysite.com that has no content where instead of indicating where the files are, you would set a URL redirection that will point to https://remote.mysite.com with security settings.

The likely issue is on the security setting where you likely have anonymous access unchecked (default iusr account is not set for the site)

As long as you use IIS http authentication and apps that you do not control, credential prompts can not be reduced.

If you have your own managed/written site, building authentication into you app will mean you will control access and rights and can have a single sign on through use of cookies, database, and session cookies.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 32

Author Comment

by:Robberbaron (robr)
ID: 40005452
thanks slowly making sense.
1. I have implemented the primary menu site as https with ssl required to test. Only winAuth is accepted. Credential prompt fires as expected. direct descendent pages that are https laod as desired. (but not http links but that can be changed)

2. I can understand the OWA will not accept this credential as it is set as Forms Based auth entication i believe. users wil just have to live with it.

3. The current https://remote.mysite.com:4438/jobprocess/ is of our making and uses WinAuth only as well. It is our intranet site using http with host header, but has been set up to access via port# as well.
 But how do we change it to access the cookie or whatever authentication is provided for the primary 'menu site'
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 40005636
If you are relying on IIS for authentication, you can not as each is seen as different.
You can only control whether credential input is required if your application is the one performing the authentication, I.e you have a firm for username/password that is displayed to users.

Also the port spec means that as far as IIS config these are shoe rate sites.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40005656
Discusses the authentication options.
http://technet.microsoft.com/en-us/library/cc753252(v=ws.10).aspx

This option covers the possibility for single signon.
0
 
LVL 32

Author Closing Comment

by:Robberbaron (robr)
ID: 40011840
will see if i can change the internal website to forms based.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now