Integrated Authentication with the InstantKB.NET Active Directory...
One of the queries we most often receive from customers/users of our Active Directory Module, is "How can I bypass the login step altogether and use my Active Directory/Windows Credentials to authenticate to the system". This is certainly a feature we spent alot of time on in the development of our LDAP module, and this article will hopefully shed some light on this.
Firstly, you should note that all clients must have their browsers configured to enable integrated windows authentication, without this, your browser will not send your existing credentials to the server for validation. To enable this in Internet Explorer, simply go to
Tools -> Internet Options -> Advanced
and ensure the option in the "Security" area of the tree 'Enable Integrated Windows Authentication' is checked.
You will find a page added to the KB by the LDAP module "WinLogin.aspx", which handles all seamless logins, this page takes the passed windows credentials and feeds them into the LDAP module, which then processes authentication and uses several verification/safety steps to ensure that the system is not compromised.
It is Vital that any client attempting this, is already authenticated to the relevant active directory domain, if they are not, then you will need to trigger this at the server level. Ways to do this vary between IIS 5.0, 6.0 and 7.0, the most common is to set your IIS Security settings to require Windows Authentication to access WinLogin.aspx.
If you wish to be automatically logged in if you are authenticated, you will need to make this page your default page, however, in this case, any users non-authenticated (if you have correctly configured windows authentication on this file) will receive an HTTP 403.2 Error 'Read Access Denied', or a 401.3 Access forbidden area. as such you will need to access the custom errors tab of the website within IIS as illustrated:
Alternatively, you can have a sub0domain or some other method, which points towards WinLogin.aspx deliberately, exclusively for your Pre-Authenticated users, and everyone else may use the existing login/authentication system.
We reccomend for security reasons, that ONLY internal users use the WinLogin method, and that all external users use the provided authentication form, which may or may not authenticate via Active directory as per your specified configuration.
The most complex configuration to run, is one with complete seamless windows authentication, and forms authentication, side by side within the same environment, this is made difficult because of the architecture of IIS and was chief among our considerations in the development of the Active Directory Module,
The related links below may be of use to you when configuring windows authentication with your installation of the AD Module.
Should you have any questions please don't hesitate to post your comment below or contact us.
Related Links
Marked helpful 0 times
based on 1 vote
I'm using W2008 Server, 64bit and IIS7, KB 2.0.6 with AD module.
For root of the web application (IIS virtual directory) I've enabled only Forms authentification. When I try to enable Windows Auth for WinLogin.aspx only, "challenge-based and login redirect-based authentication cannot be used simultaneously" warning appears. Then, when I try to open WinLogin.aspx page using browser, "Internet Explorer cannot display the webpage" appears. When I use Mozilla FF, then "Object moved to here." appears.
In my opinion, the problem is, that IIS7 sends HTTP 302 Login/Redirect code, unfortunately, forms auth cannot be disabled on lower level. Do you know how to solve this issue?
Thanks a lot.
Add Your Comments
|
Category: Active Directory
Product: InstantKB.NET
Version: 2.0
Type: HOWTO
Level: Intermediate
Article not rated yet.
Article has been viewed 5,460 times.
Last Modified By: Ryan Healey
Last Modified:13th May 2009
|