Last post Sep 22, 2011 12:48 PM by bbcompent1
Sep 21, 2011 12:42 PM|stanleyabcd|LINK
I have a client. They will login their window by using the account in Active Directory and they want to create a web that authenticate user automatically using their current window account (i.e. Single sign on the web) by using Window Authenication in Asp.net.
As their company is quite big, therefore, their structure of Active directory is quite complex.
The following is the illustration (the below showed only a simplified version):
They have a root domain called ABC.com and there are several subdomains under it.
The IIS server is placed under "XX.ABC.com". I believe that all users under this domain have no problem for single sign on.
However, could those user in YY.ABC.com and ZZ.ABC.com be logged in the site using the AD account?
if not, then
if the server is moved to the root domain (i.e. ABC.com), could users in all subdomains(i.e. XX.ABC.com, YY.ABC.com and ZZ.ABC.com) be logged in the site?
Howver, client said that "moving the server to root domain will cause timeout problem because it may need to go through all subdomains to search for a single user". Is it true?
Is there any method that can keep the server in XX.ABC.com but still can authenicate YY.ABC.com and ZZ.ABC.com?
Sep 21, 2011 12:49 PM|bbcompent1|LINK
If there is proper domain trust set up between those sub domains, then yes providing you also give those AD users access. Generally, for large enterprises, I will always use AD Groups to control access so if an employee from yy.abc.com needs access to the
web app in zz.abc.com, I simply add them to the corresponding group that has access.
Sep 22, 2011 01:11 AM|stanleyabcd|LINK
I have setup the 2-way trust between two sub-domain, however, user that does not in the same domain as the server still cannot access the web.
And I have set the authorization rule as follow:
<deny users="?" />
<allow users="*" />
Is there any other setting required for trusted domain to access the web through window authentication?
Also, the Active Directory and the web server is not in the same computer. Is it ok for in this case?
Sep 22, 2011 10:02 AM|bbcompent1|LINK
If the web server is a member of the domain and has a SPN configured in the AD, then the trust should work. SPN for reference sake is Service Protocol Name.
Sep 22, 2011 12:48 PM|bbcompent1|LINK
I always get that backward, its Service Principle Name. Sorry, my bad. Here is a link that explains what it is.
And some related info on how to create an SPN: