Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 343
  • Last Modified:

Avoid second login request IIS7

I have an IIS server on Win2008R2 behind a router, setup to accept remote and intranet access including Outlook Web Access (OWA)

All works fine and an authentication prompt occurs upon first access from browser. (both http and https)
 This then displays a basic menu page (default website port 80/443) with links to other websites/Applications hosted on the same IIS server on different ports. Some are in different AppPools but all use same integrated pipeline mode and Identity.

But attempting to open the linked site throws another Login request. Enter the same credentials and the site opens correctly. Including OWA.  
"Windows Authentication" is the only type enabled for the relevant sites in IIS.  Providers are NTLM and Negotiate, in that order for all sites.

not a big deal from a browser with keyboard but users are complaining when using tablet or phone browsers due to typing requirement.

'Default Website' is in DefaultAppPool   http:80 /  https:443
'Content' is in ASP.NET v4 Default,  https:  *.4438  

both https certificates are the same GoDaddy  valid till 2016

Any hints to try ?  cant do anything too fancy in testing  as all sites live and working...
0
Robberbaron (robr)
Asked:
Robberbaron (robr)
  • 4
  • 3
1 Solution
 
arnoldCommented:
Credential prompts occur when site boundaries are crossed. I.e. Virtual directories will each prompt for credentials.
Http is not https.

You seem to be using the http authentication method which only works down the path I.e. Http://somesite.com/home/base/destination as long as none of them are virtual.

One option is to allow anonymous access to http that will automatically redirect to https thus having a single sign on that is secured by way of encryption/certificate.
0
 
Robberbaron (robr)Author Commented:
ok. now i know what to look for,  investigation shows that the first access is to HTTP , which is secured by password. not sure how the prompt triggers??

first page is at  http://remote.mysite.com   (real address hidden to protect the guilty). https://remote.mysite.com redirects to this after login, opposite to your suggestion.

all menu items that are http links AND sub pages of first one eg http://remote.mysite.com/way works without a prompt as you indicated.

any others such as http://mail.mysite.com/owa or  https://remote.mysite.com:4438/jobprocess/   requires second prompt.

can you explain a little more what is required to implement your suggested methodology ?
0
 
arnoldCommented:
You can setup a site that responds to http://remote.mysite.com that has no content where instead of indicating where the files are, you would set a URL redirection that will point to https://remote.mysite.com with security settings.

The likely issue is on the security setting where you likely have anonymous access unchecked (default iusr account is not set for the site)

As long as you use IIS http authentication and apps that you do not control, credential prompts can not be reduced.

If you have your own managed/written site, building authentication into you app will mean you will control access and rights and can have a single sign on through use of cookies, database, and session cookies.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Robberbaron (robr)Author Commented:
thanks slowly making sense.
1. I have implemented the primary menu site as https with ssl required to test. Only winAuth is accepted. Credential prompt fires as expected. direct descendent pages that are https laod as desired. (but not http links but that can be changed)

2. I can understand the OWA will not accept this credential as it is set as Forms Based auth entication i believe. users wil just have to live with it.

3. The current https://remote.mysite.com:4438/jobprocess/ is of our making and uses WinAuth only as well. It is our intranet site using http with host header, but has been set up to access via port# as well.
 But how do we change it to access the cookie or whatever authentication is provided for the primary 'menu site'
0
 
arnoldCommented:
If you are relying on IIS for authentication, you can not as each is seen as different.
You can only control whether credential input is required if your application is the one performing the authentication, I.e you have a firm for username/password that is displayed to users.

Also the port spec means that as far as IIS config these are shoe rate sites.
0
 
arnoldCommented:
Discusses the authentication options.
http://technet.microsoft.com/en-us/library/cc753252(v=ws.10).aspx

This option covers the possibility for single signon.
0
 
Robberbaron (robr)Author Commented:
will see if i can change the internal website to forms based.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now