?
Solved

Avoid second login request IIS7

Posted on 2014-04-15
7
Medium Priority
?
345 Views
Last Modified: 2014-04-20
I have an IIS server on Win2008R2 behind a router, setup to accept remote and intranet access including Outlook Web Access (OWA)

All works fine and an authentication prompt occurs upon first access from browser. (both http and https)
 This then displays a basic menu page (default website port 80/443) with links to other websites/Applications hosted on the same IIS server on different ports. Some are in different AppPools but all use same integrated pipeline mode and Identity.

But attempting to open the linked site throws another Login request. Enter the same credentials and the site opens correctly. Including OWA.  
"Windows Authentication" is the only type enabled for the relevant sites in IIS.  Providers are NTLM and Negotiate, in that order for all sites.

not a big deal from a browser with keyboard but users are complaining when using tablet or phone browsers due to typing requirement.

'Default Website' is in DefaultAppPool   http:80 /  https:443
'Content' is in ASP.NET v4 Default,  https:  *.4438  

both https certificates are the same GoDaddy  valid till 2016

Any hints to try ?  cant do anything too fancy in testing  as all sites live and working...
0
Comment
Question by:Robberbaron (robr)
  • 4
  • 3
7 Comments
 
LVL 81

Expert Comment

by:arnold
ID: 40003060
Credential prompts occur when site boundaries are crossed. I.e. Virtual directories will each prompt for credentials.
Http is not https.

You seem to be using the http authentication method which only works down the path I.e. Http://somesite.com/home/base/destination as long as none of them are virtual.

One option is to allow anonymous access to http that will automatically redirect to https thus having a single sign on that is secured by way of encryption/certificate.
0
 
LVL 33

Author Comment

by:Robberbaron (robr)
ID: 40003358
ok. now i know what to look for,  investigation shows that the first access is to HTTP , which is secured by password. not sure how the prompt triggers??

first page is at  http://remote.mysite.com   (real address hidden to protect the guilty). https://remote.mysite.com redirects to this after login, opposite to your suggestion.

all menu items that are http links AND sub pages of first one eg http://remote.mysite.com/way works without a prompt as you indicated.

any others such as http://mail.mysite.com/owa or  https://remote.mysite.com:4438/jobprocess/   requires second prompt.

can you explain a little more what is required to implement your suggested methodology ?
0
 
LVL 81

Expert Comment

by:arnold
ID: 40003843
You can setup a site that responds to http://remote.mysite.com that has no content where instead of indicating where the files are, you would set a URL redirection that will point to https://remote.mysite.com with security settings.

The likely issue is on the security setting where you likely have anonymous access unchecked (default iusr account is not set for the site)

As long as you use IIS http authentication and apps that you do not control, credential prompts can not be reduced.

If you have your own managed/written site, building authentication into you app will mean you will control access and rights and can have a single sign on through use of cookies, database, and session cookies.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 33

Author Comment

by:Robberbaron (robr)
ID: 40005452
thanks slowly making sense.
1. I have implemented the primary menu site as https with ssl required to test. Only winAuth is accepted. Credential prompt fires as expected. direct descendent pages that are https laod as desired. (but not http links but that can be changed)

2. I can understand the OWA will not accept this credential as it is set as Forms Based auth entication i believe. users wil just have to live with it.

3. The current https://remote.mysite.com:4438/jobprocess/ is of our making and uses WinAuth only as well. It is our intranet site using http with host header, but has been set up to access via port# as well.
 But how do we change it to access the cookie or whatever authentication is provided for the primary 'menu site'
0
 
LVL 81

Accepted Solution

by:
arnold earned 2000 total points
ID: 40005636
If you are relying on IIS for authentication, you can not as each is seen as different.
You can only control whether credential input is required if your application is the one performing the authentication, I.e you have a firm for username/password that is displayed to users.

Also the port spec means that as far as IIS config these are shoe rate sites.
0
 
LVL 81

Expert Comment

by:arnold
ID: 40005656
Discusses the authentication options.
http://technet.microsoft.com/en-us/library/cc753252(v=ws.10).aspx

This option covers the possibility for single signon.
0
 
LVL 33

Author Closing Comment

by:Robberbaron (robr)
ID: 40011840
will see if i can change the internal website to forms based.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
Get the source code for a fully functional Access application shell with several popular security features that Access VBA application developers desire, but find difficult or impossible to figure out how to code. You get the source code for managi…
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question