I have a client. They will login their window by using the account in Active Directory and they want to create a web that authenticate user automatically using their current window account (i.e. Single sign on the web) by using Window Authenication in Asp.net.
As their company is quite big, therefore, their structure of Active directory is quite complex.
The following is the illustration (the below showed only a simplified version):
ABC.com
|-------- XX.ABC.com
|-------- YY.ABC.com
|-------- ZZ.ABC.com
They have a root domain called ABC.com and there are several subdomains under it.
The IIS server is placed under "XX.ABC.com". I believe that all users under this domain have no problem for single sign on.
However, could those user in YY.ABC.com and ZZ.ABC.com be logged in the site using the AD account?
if not, then
if the server is moved to the root domain (i.e. ABC.com), could users in all subdomains(i.e. XX.ABC.com, YY.ABC.com and ZZ.ABC.com) be logged in the site?
Howver, client said that "moving the server to root domain will cause timeout problem because it may need to go through all subdomains to search for a single user". Is it true?
Is there any method that can keep the server in XX.ABC.com but still can authenicate YY.ABC.com and ZZ.ABC.com?
If there is proper domain trust set up between those sub domains, then yes providing you also give those AD users access. Generally, for large enterprises, I will always use AD Groups to control access so if an employee from yy.abc.com needs access to the
web app in zz.abc.com, I simply add them to the corresponding group that has access.
If the web server is a member of the domain and has a SPN configured in the AD, then the trust should work. SPN for reference sake is Service Protocol Name.
stanleyabcd
Member
2 Points
3 Posts
IIS Single Sign on with window credential
Sep 21, 2011 04:42 PM|LINK
I have a client. They will login their window by using the account in Active Directory and they want to create a web that authenticate user automatically using their current window account (i.e. Single sign on the web) by using Window Authenication in Asp.net.
As their company is quite big, therefore, their structure of Active directory is quite complex.
The following is the illustration (the below showed only a simplified version):
ABC.com
|-------- XX.ABC.com
|-------- YY.ABC.com
|-------- ZZ.ABC.com
They have a root domain called ABC.com and there are several subdomains under it.
The IIS server is placed under "XX.ABC.com". I believe that all users under this domain have no problem for single sign on.
However, could those user in YY.ABC.com and ZZ.ABC.com be logged in the site using the AD account?
if not, then
if the server is moved to the root domain (i.e. ABC.com), could users in all subdomains(i.e. XX.ABC.com, YY.ABC.com and ZZ.ABC.com) be logged in the site?
Howver, client said that "moving the server to root domain will cause timeout problem because it may need to go through all subdomains to search for a single user". Is it true?
Is there any method that can keep the server in XX.ABC.com but still can authenicate YY.ABC.com and ZZ.ABC.com?
bbcompent1
All-Star
32982 Points
8508 Posts
Moderator
Re: IIS Single Sign on with window credential
Sep 21, 2011 04:49 PM|LINK
If there is proper domain trust set up between those sub domains, then yes providing you also give those AD users access. Generally, for large enterprises, I will always use AD Groups to control access so if an employee from yy.abc.com needs access to the web app in zz.abc.com, I simply add them to the corresponding group that has access.
stanleyabcd
Member
2 Points
3 Posts
Re: IIS Single Sign on with window credential
Sep 22, 2011 05:11 AM|LINK
I have setup the 2-way trust between two sub-domain, however, user that does not in the same domain as the server still cannot access the web.
And I have set the authorization rule as follow:
<deny users="?" />
<allow users="*" />
Is there any other setting required for trusted domain to access the web through window authentication?
Also, the Active Directory and the web server is not in the same computer. Is it ok for in this case?
bbcompent1
All-Star
32982 Points
8508 Posts
Moderator
Re: IIS Single Sign on with window credential
Sep 22, 2011 02:02 PM|LINK
If the web server is a member of the domain and has a SPN configured in the AD, then the trust should work. SPN for reference sake is Service Protocol Name.
bbcompent1
All-Star
32982 Points
8508 Posts
Moderator
Re: IIS Single Sign on with window credential
Sep 22, 2011 04:48 PM|LINK
I always get that backward, its Service Principle Name. Sorry, my bad. Here is a link that explains what it is. http://technet.microsoft.com/en-us/library/cc737007(WS.10).aspx
And some related info on how to create an SPN: http://forums.techarena.in/active-directory/1119841.htm