Solved

Avoid second login request IIS7

Posted on 2014-04-15
7
334 Views
Last Modified: 2014-04-20
I have an IIS server on Win2008R2 behind a router, setup to accept remote and intranet access including Outlook Web Access (OWA)

All works fine and an authentication prompt occurs upon first access from browser. (both http and https)
 This then displays a basic menu page (default website port 80/443) with links to other websites/Applications hosted on the same IIS server on different ports. Some are in different AppPools but all use same integrated pipeline mode and Identity.

But attempting to open the linked site throws another Login request. Enter the same credentials and the site opens correctly. Including OWA.  
"Windows Authentication" is the only type enabled for the relevant sites in IIS.  Providers are NTLM and Negotiate, in that order for all sites.

not a big deal from a browser with keyboard but users are complaining when using tablet or phone browsers due to typing requirement.

'Default Website' is in DefaultAppPool   http:80 /  https:443
'Content' is in ASP.NET v4 Default,  https:  *.4438  

both https certificates are the same GoDaddy  valid till 2016

Any hints to try ?  cant do anything too fancy in testing  as all sites live and working...
0
Comment
Question by:Robberbaron (robr)
  • 4
  • 3
7 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 40003060
Credential prompts occur when site boundaries are crossed. I.e. Virtual directories will each prompt for credentials.
Http is not https.

You seem to be using the http authentication method which only works down the path I.e. Http://somesite.com/home/base/destination as long as none of them are virtual.

One option is to allow anonymous access to http that will automatically redirect to https thus having a single sign on that is secured by way of encryption/certificate.
0
 
LVL 32

Author Comment

by:Robberbaron (robr)
ID: 40003358
ok. now i know what to look for,  investigation shows that the first access is to HTTP , which is secured by password. not sure how the prompt triggers??

first page is at  http://remote.mysite.com   (real address hidden to protect the guilty). https://remote.mysite.com redirects to this after login, opposite to your suggestion.

all menu items that are http links AND sub pages of first one eg http://remote.mysite.com/way works without a prompt as you indicated.

any others such as http://mail.mysite.com/owa or  https://remote.mysite.com:4438/jobprocess/   requires second prompt.

can you explain a little more what is required to implement your suggested methodology ?
0
 
LVL 77

Expert Comment

by:arnold
ID: 40003843
You can setup a site that responds to http://remote.mysite.com that has no content where instead of indicating where the files are, you would set a URL redirection that will point to https://remote.mysite.com with security settings.

The likely issue is on the security setting where you likely have anonymous access unchecked (default iusr account is not set for the site)

As long as you use IIS http authentication and apps that you do not control, credential prompts can not be reduced.

If you have your own managed/written site, building authentication into you app will mean you will control access and rights and can have a single sign on through use of cookies, database, and session cookies.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 32

Author Comment

by:Robberbaron (robr)
ID: 40005452
thanks slowly making sense.
1. I have implemented the primary menu site as https with ssl required to test. Only winAuth is accepted. Credential prompt fires as expected. direct descendent pages that are https laod as desired. (but not http links but that can be changed)

2. I can understand the OWA will not accept this credential as it is set as Forms Based auth entication i believe. users wil just have to live with it.

3. The current https://remote.mysite.com:4438/jobprocess/ is of our making and uses WinAuth only as well. It is our intranet site using http with host header, but has been set up to access via port# as well.
 But how do we change it to access the cookie or whatever authentication is provided for the primary 'menu site'
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 40005636
If you are relying on IIS for authentication, you can not as each is seen as different.
You can only control whether credential input is required if your application is the one performing the authentication, I.e you have a firm for username/password that is displayed to users.

Also the port spec means that as far as IIS config these are shoe rate sites.
0
 
LVL 77

Expert Comment

by:arnold
ID: 40005656
Discusses the authentication options.
http://technet.microsoft.com/en-us/library/cc753252(v=ws.10).aspx

This option covers the possibility for single signon.
0
 
LVL 32

Author Closing Comment

by:Robberbaron (robr)
ID: 40011840
will see if i can change the internal website to forms based.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here are the symptoms: You start receiving calls from users that one of your legacy web apps isn't coming up, so you log into your IIS 5 server to check it out.  When you pull up the services, you notice that the WWW Publishing service isn't runn…
So you need a certificate so you can offer SSL encryption.  But which one should you get?  There are so many choices out there! Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Auth…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now