Link to home
Start Free TrialLog in
Avatar of iceman19330
iceman19330

asked on

Local Windows Authentication Setup and SSO Question

I have two small questions and I am working with PHP on IIS 10 running on Windows Server 2012 R2.  Normally I work with Apache/Linux so this is a bit new to me.

On my local I cannot get the Windows Authentication against AD to work even if I am connected via VPN to work.  I dont know if I need to have my local IIS join the domain or set something up in the VPN connection to forward the request.  What I get is an endless refresh of the Windows Authentication window until I cancel and then I get the HTTP Error 401.1 - Unauthorized.

I have a 2nd question which is something I think I know the answer too but since IIS/Windows Authentication is something new I thought I would ask.  So they want to essentially have a SSO for all their intranet apps.  They run under the same IIS server but they are different sub-domains -- ie apps1.domain.com, apps2.domain.com, etc.  The behavior that they want is if you need to login they want Windows Authentication to pop up and authenticate you and then you can use all the domains and not have to be authenticated again unless you logout.  My assumption is that since they are separate sub-domains that if its your first time for each of them you need to authenticate.  Is that correct?  Or is there a configuration setting on IIS that will allow that behavior?

If I need to split up the questions please let me know I will come back and make a 2nd question.

Thank you
Avatar of gr8gonzo
gr8gonzo
Flag of United States of America image

What approach are you using to try to authenticate against AD?

As far as the SSO goes, I'd personally suggest you simply implement SAML using ADFS as your identity provider, since you already have AD. Then just add a SAML provider to your apps (e.g. using simplesamlphp), and redirect users to ADFS if they're not logged into an app.

That way, you're using a secure, industry-standard way of implementing SSO (which will be of help to you with other 3rd party applications later on, too), which will authenticate against AD seamlessly, AND you're not trying to reinvent the wheel with any special authentication within each separate app.
Avatar of iceman19330
iceman19330

ASKER

So on IIS I enabled Windows Authentication -- following the directions :)  Turned off Anonymous.
What I have is a PHP script that then takes the $SERVER['AUTH_USER'] and passes it over to AD.

However on my local Windows Authenticate keeps popping up until I cancel then I get that 401.1 error about unauthorized.
On the server, not my local, it is fine.   Until I go to another subdomain and I have to re-authenticate -- they are under the impress that it shouldnt happen like that once you login to one you should skip all the rest which is why I was looking at SSO.  These subdomains are internal apps not public.
ASKER CERTIFIED SOLUTION
Avatar of gr8gonzo
gr8gonzo
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So part of this I guess is that I believe that I can almost do away with Windows Authentication since I am authenticating via LDAP.  I dont know why they did Windows Authentication or even if they know that they have it enabled.  But part of what I need to understand since I am an IIS and Window Auth newbie is the Windows Authentication popup supposed to be behaving where each subdomain it needs to re-authenticate.

This was written before I read your above post
Assuming it's IIS doing the auth work (based on your last comment), then you are correct in that your local system is probably not a domain member, or maybe you're not passing the domain as part of the username (e.g. DOMAIN\username).

Is there a way to attach my IIS to the domain?  This is mostly for testing purposes .. otherwise I will have to do the testing on a test server.

So if you're getting endless pop-up auth boxes and IIS is the one handling the loop on your local box, then it's probably validating against your local set of credentials (not against AD).
I believe its this, I can do the PHP without an issue -- local or remote doesnt matter.
My understanding is that IIS is going to check the domain IF the workstation itself is a domain member. I don't think there's a way to ONLY join IIS to the domain, but it's not a situation I've ever had to specifically deal with, so...

If you want to manually handle AD authentication without IIS automatically handling the authentication side of things, then your best bet is to use custom PHP coding with the LDAP extension.

Again, SAML is definitely the best approach here all-around. Set up ADFS on the domain, then just configure your apps as service providers, and it will work beautifully regardless if you're joined to the domain or not (since SAML is all web-based, it doesn't care if you're joined to the domain or not - you're authenticating in one central place).
And I know I keep pushing SAML - I know it might be a new concept if you haven't used it before, but I'm just trying to set you on the right path. I deal daily with very large corporations who many times have home-brewed apps and authentication that they've used for years and have invested so much time in that it becomes hard to switch. Every single one of them just figured, "This is just an internal app, so we'll take quick shortcuts for now." Then there are other customers who started with the right approach early on and things are SO much simpler for them. SAML is going to be around for a long time and getting set up to use it will make your life a lot easier (plus you'll get experience developing the service provider integration portion, which is valuable in today's market).
And I know I keep pushing SAML - I know it might be a new concept if you haven't used it before, but I'm just trying to set you on the right path

No worries I appreciate the information and thinking from an overarching security umbrella rather than just to answer the question.  I  will have to look at the SAML + ADFS.  They are moving to Azure and some processes I have already integrated a few items in Graph and they will be moving more and more to the cloud with hosting and even AD.  Anyway that was a little off topic.

But I appreciate it.  I think I am going to do a quick bandaid for now and then once I have them ready for ADFS, there is an IT group that has to do it, then I can implement something stronger.

Thank you very much for your very indepth answers and all the time you took to walk me through the process.
This helped not only because of explaining the process but also giving some additional options that are a best practice.