Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

cross domain integrated windows authentication in IIS for ASP.NET intranet website

I built an INTRANET ASP.NET website for which authentication is set to "integrated windows authentication" and in authorization section of web.config, I have specified the AD groups (domain\groupname) to restrict the access to only to the members of those AD groups. multiple AD groups are specified in web.config (domain1\group1, domain2\group2 etc). now this works fine for users of one domain1 (where it is hosted), but for users of another domain (domain2), they get a prompt to enter their windows credentials and if they enter it, then it works and they can access the site without any problem. but I would like to avoid this login prompt, because I granted access to groups of both domains. why are they getting this prompt and is it possible to suppress it? do I need to configure something in IIS or web.config for it? Thanks in advance.

like image 910
RKP Avatar asked Dec 06 '10 17:12

RKP


People also ask

Where is integrated Windows authentication in IIS?

On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select Windows Authentication.

What is Integrated Windows authentication in IIS?

Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS) authentication protocol that can be used to automatically authenticate and sign-in a user to EMS Web App. IWA is best used on intranets where all clients accessing EMS Web App are within a single domain.


2 Answers

I believe users in Domain2 can add your website, hosted in Domain1, to their list of Intranet Sites in Internet Explorer->Internet Options->Security->Local Intranet Zone. This zone should automatically log on with the current user name and password. You could make this an AD policy.

like image 52
KellySandwiches Avatar answered Oct 21 '22 03:10

KellySandwiches


I'm not sure that you can do this - I believe that users from outside the hosted domain will always be prompted for credentials with 'integrated' security.

You could probably use forms authentication to handle multiple domains. I am heading down the Windows Indentity Foundation path myself (which I have no desire to learn) so I'd love for someone to tell me I'm wrong about this!

like image 1
RogerG Avatar answered Oct 21 '22 03:10

RogerG