We help IT Professionals succeed at work.

Can I setup an extranet website in IIS using Windows authentication?

I'm working on a new web application.  Users will be logging in sometimes on the domain pc and sometimes from their mobile device that is not on the network domain.  Can I configure this in IIS (7.5) for this web application/site to be a Windows Authentication app?  I mean, will it still work when user navigates to the web site using their mobile device and still be asked to enter their Windows' credential and be authenticated?

Also, is there an option in this Window's Login dialog, a checkbox, to remember the credential with?  

Thank you.
Comment
Watch Question

Distinguished Expert 2019

Commented:
To the first yes you can, the user from a non-domain will be prompted for credentials.

Windows login you mean onto a system?
There is no check box option there, there is a way to configure a system to auto login as a user.

Please explain what windows login prompt do you mean.

Author

Commented:
The windows log I meant is when you enable the "Windows Authentication" in IIS (7.5 is ours), for the web application, the IIS will display a login dialog asking users for their userid and password that's their domain account or windows account.  
Thank you.
Distinguished Expert 2019

Commented:
There is no way to enable remember me in that dialogue.

You could code your application to prompt for user login using AD authentication at which point the login process will be totally under your applications control.
With using IIS windows authentication, the authentication to access is left to IIS.
It only answers does user have access? with a valid login, the user has, with an invalid, the user does not.

Depending on what it is the site/application does, have you considered having the user authentication be part of the application versus an IIS function?

Usually, remember me is handled by the site when the option is checked is to set a cookie on the client side that is checked when the user returns to see whether the cookie exists, its contents match the criteria and username is then extracted from the parameters and allowed in.

Author

Commented:
Arnold,
Thank you and that makes sense.  I knew about IIS is in charge and about the cookies but still appreciate you writing up the explanation.   The reason why I asked because of this screen shot at this article shows a option box for "Remember my credential" when it's set as "Digest Authentication" in IIS.  https://www.simple-talk.com/dotnet/asp.net/authentication-and-authorization-with-windows-accounts-in-asp.net/  
I also attached an image from that link.

I can setup a web application in IIS, and only enable the "Windows Authentication"  I thought that would set up the web application to be an Intranet.  But users can still see this site as a public website but just will be asked to enter windows credential for authentication.  So when and how does a web application gets set up as an Intranet?  Is it by IP limitation on IIS?
Thank you.
1268-Figure4.jpg
Distinguished Expert 2019
Commented:
I am uncertain whether that option is configurable or is presented under certain conditions I.e. In that type of an interface the info would be saved within the user's keys

Control keymgr.dll
This is one way a user can save external passwords.

Intranet site means it is only available internally. Usually the security consideration are more relaxed, when a site is externally accessible, the security consideration should be in accordance with the exposure and is no longer an intranet, it could be mixed through restriction of pages/sections, but restrictions are not fixed where a typo, error could expose those section.

Author

Commented:
Thank you.