Local Windows Authentication Setup and SSO Question

I have two small questions and I am working with PHP on IIS 10 running on Windows Server 2012 R2.  Normally I work with Apache/Linux so this is a bit new to me.

On my local I cannot get the Windows Authentication against AD to work even if I am connected via VPN to work.  I dont know if I need to have my local IIS join the domain or set something up in the VPN connection to forward the request.  What I get is an endless refresh of the Windows Authentication window until I cancel and then I get the HTTP Error 401.1 - Unauthorized.

I have a 2nd question which is something I think I know the answer too but since IIS/Windows Authentication is something new I thought I would ask.  So they want to essentially have a SSO for all their intranet apps.  They run under the same IIS server but they are different sub-domains -- ie apps1.domain.com, apps2.domain.com, etc.  The behavior that they want is if you need to login they want Windows Authentication to pop up and authenticate you and then you can use all the domains and not have to be authenticated again unless you logout.  My assumption is that since they are separate sub-domains that if its your first time for each of them you need to authenticate.  Is that correct?  Or is there a configuration setting on IIS that will allow that behavior?

If I need to split up the questions please let me know I will come back and make a 2nd question.

Thank you
iceman19330Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gr8gonzoConsultantCommented:
What approach are you using to try to authenticate against AD?

As far as the SSO goes, I'd personally suggest you simply implement SAML using ADFS as your identity provider, since you already have AD. Then just add a SAML provider to your apps (e.g. using simplesamlphp), and redirect users to ADFS if they're not logged into an app.

That way, you're using a secure, industry-standard way of implementing SSO (which will be of help to you with other 3rd party applications later on, too), which will authenticate against AD seamlessly, AND you're not trying to reinvent the wheel with any special authentication within each separate app.
0
iceman19330Author Commented:
So on IIS I enabled Windows Authentication -- following the directions :)  Turned off Anonymous.
What I have is a PHP script that then takes the $SERVER['AUTH_USER'] and passes it over to AD.

However on my local Windows Authenticate keeps popping up until I cancel then I get that 401.1 error about unauthorized.
On the server, not my local, it is fine.   Until I go to another subdomain and I have to re-authenticate -- they are under the impress that it shouldnt happen like that once you login to one you should skip all the rest which is why I was looking at SSO.  These subdomains are internal apps not public.
0
gr8gonzoConsultantCommented:
So, HTTP authentication simply works like this:
1. When the browser sends over the request, if it includes a "Authorization" HTTP header, like this:
Authorization: Basic YWJjOjEyMw==

Open in new window


...then that can be processed into the $_SERVER["PHP_AUTH_USER"] variable.

2. If that variable isn't set, or if it's invalid, then PHP can respond with the 401 header, which tells the browser, "Hey, you didn't sent me a valid Authorization header, so I'm going to refuse to serve the page until you send me a good one."

3. If the browser gets that 401, it pops the dialog box, accepts the user's input, and then uses it to build the Authorization header and then resends the request, which goes back to step 1 above.

So if you're getting endless pop-up auth boxes and IIS is the one handling the loop on your local box, then it's probably validating against your local set of credentials (not against AD). If your PHP script is trying to do the authentication and you're getting the endless loop, then whatever mechanism you're using to authenticate against AD (e.g. LDAP extension or something) is probably failing the lookup, and you'd have to look into those logs to figure out why.

Assuming it's IIS doing the auth work (based on your last comment), then you are correct in that your local system is probably not a domain member, or maybe you're not passing the domain as part of the username (e.g. DOMAIN\username).

Regarding the subdomain issue, the Authorization header is handled by your browser, and similar to how cookies work, you're not going to have that authorization header automatically passed over to the other subdomains. That would be a huge security risk if that happened. Imagine if you had a 3rd party that had a solution that sat on your domain on its own subdomain, and it got hacked and started logging all the incoming Authorization headers - it'd basically be collecting clear-text usernames and passwords (because HTTP authentication is not encrypted).

So no, you don't want subdomains to all share that Authorization header sent from step 1, so it's a good thing that it works like this.

Again, your best way to resolve it is really to use SAML. It's not that complicated to set up (in my opinion), and it's a great asset to have a working identity provider for your company, since SAML is everywhere nowadays. Even if your subdomains are internal apps, SAML is a great solution for it, and is also a long-term solution, too.

If you want a bandaid, then just use a session cookie to store your login info and configure the cookie to be set at the domain level, so that the browser sends over the same cookie for all subdomains, and then each subdomain can see the cookie. However, you'd need to handle the HTTP authentication manually in this scenario, since IIS is going to enforce the per-subdomain HTTP authentication.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

iceman19330Author Commented:
So part of this I guess is that I believe that I can almost do away with Windows Authentication since I am authenticating via LDAP.  I dont know why they did Windows Authentication or even if they know that they have it enabled.  But part of what I need to understand since I am an IIS and Window Auth newbie is the Windows Authentication popup supposed to be behaving where each subdomain it needs to re-authenticate.

This was written before I read your above post
0
iceman19330Author Commented:
Assuming it's IIS doing the auth work (based on your last comment), then you are correct in that your local system is probably not a domain member, or maybe you're not passing the domain as part of the username (e.g. DOMAIN\username).

Is there a way to attach my IIS to the domain?  This is mostly for testing purposes .. otherwise I will have to do the testing on a test server.

So if you're getting endless pop-up auth boxes and IIS is the one handling the loop on your local box, then it's probably validating against your local set of credentials (not against AD).
I believe its this, I can do the PHP without an issue -- local or remote doesnt matter.
0
gr8gonzoConsultantCommented:
My understanding is that IIS is going to check the domain IF the workstation itself is a domain member. I don't think there's a way to ONLY join IIS to the domain, but it's not a situation I've ever had to specifically deal with, so...

If you want to manually handle AD authentication without IIS automatically handling the authentication side of things, then your best bet is to use custom PHP coding with the LDAP extension.

Again, SAML is definitely the best approach here all-around. Set up ADFS on the domain, then just configure your apps as service providers, and it will work beautifully regardless if you're joined to the domain or not (since SAML is all web-based, it doesn't care if you're joined to the domain or not - you're authenticating in one central place).
0
gr8gonzoConsultantCommented:
And I know I keep pushing SAML - I know it might be a new concept if you haven't used it before, but I'm just trying to set you on the right path. I deal daily with very large corporations who many times have home-brewed apps and authentication that they've used for years and have invested so much time in that it becomes hard to switch. Every single one of them just figured, "This is just an internal app, so we'll take quick shortcuts for now." Then there are other customers who started with the right approach early on and things are SO much simpler for them. SAML is going to be around for a long time and getting set up to use it will make your life a lot easier (plus you'll get experience developing the service provider integration portion, which is valuable in today's market).
0
iceman19330Author Commented:
And I know I keep pushing SAML - I know it might be a new concept if you haven't used it before, but I'm just trying to set you on the right path

No worries I appreciate the information and thinking from an overarching security umbrella rather than just to answer the question.  I  will have to look at the SAML + ADFS.  They are moving to Azure and some processes I have already integrated a few items in Graph and they will be moving more and more to the cloud with hosting and even AD.  Anyway that was a little off topic.

But I appreciate it.  I think I am going to do a quick bandaid for now and then once I have them ready for ADFS, there is an IT group that has to do it, then I can implement something stronger.

Thank you very much for your very indepth answers and all the time you took to walk me through the process.
0
iceman19330Author Commented:
This helped not only because of explaining the process but also giving some additional options that are a best practice.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
iis10

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.