Last post Feb 17, 2014 09:36 AM by Willgart
Feb 13, 2014 01:52 PM|Willgart|LINK
I'm looking for solution to provide forms based authentication on top of a windows (NTLM/Kerberos) secured site.
in the past I do this using ISA Server, but I'm looking for a solution which doesnt rely on external server and tools.
my users will go to www.mysite.com where there is a welcome message (+ reset password etc...) from here the user will type a login/pwd and be redirected to the windows authentication secure site (secure.mysite.com) and
I dont want to receive the popup login window.
I'm NOT using the Basic authentication
I try to add the www-authenticate header with no success.
so... thanks for your help :)
Feb 13, 2014 02:13 PM|PatriceSc|LINK
Try perhaps to explain your goal or the benefit you are trying to get. It could raise better suggestions.
For now it seems that you have 2 sites using each their own authentication mechanism so I'm not sure how both identities could even be matched (or is the user supposed to enter the same thing he would enter on the NTLM site ?). Instead you could likely use some
kind of single sign on authentication solution (that is have 2 web sites using a single identity).
If this is to get some additional security, you likely have multiple authentication factors solution you could use.
If this is a provide a password change capability usually you have to provide your old password try perhaps around
http://support.microsoft.com/kb/297121/en-us and related links...
Edit : tell also if this is for internet or intranet use. For example if you force NTLM, the intranet site is usable directly from wihtin your company and raises a dialog box when used externally. You likely have also web based VPN solution etc.. etc.. Some
context is needed.
BTW you may want to try also an IIS forum.
Feb 13, 2014 03:33 PM|Willgart|LINK
the seucre site is mainly extranet usage. but some internal users will access to.
we have customers which can go on the site and access SSRS reports, sharepoint 2010 Excel services reports, perfromance point dashboard etc...
we also use another 3rd party web OLAP tool.
Everything required the Windows authentication and the kerberos delegation to insure the security works fine.
so today the user are prompted for the login password through a pop dialog box. the business want to use a forms based authentication to provide a nicer login page.
we may use the basic authentication insteadof the windows authentication, but we have to keep the windows authentication in place.
(I'll do some tests using the basic authentication)
I can see tools like Cafesoft but its a big additional cost for us. so I'm first looking for "simple" solutions.
Feb 13, 2014 09:09 PM|Willgart|LINK
ok... using the basic authentication I'm able to create a FB page , authenticate the user using a JQuery call then redirect it to the page.
and no popup window appear.
but... as my site as both the windows and basic authentication enable... I suffer an issue.
the system try to authenticate the user using the windows popup even if the user was previously authenticated with the basic authentication method!
step 1: go on the FB page, click ok
step 2: JQuery call to a page on the target site where the basic authentication is inforced, success
step 3: redirect the user to this page, success
step 4: navigate to the root folder of the target site, here both the windows and basic authentication are enable, fail, new popup window appear (this time the windows authentication dialog box not the basic one)
so from what I understand the system try always use the windows authentication method first, then the basic authentication... even if the user was previously authenticated! :(
Feb 14, 2014 05:58 AM|PatriceSc|LINK
Try perhaps http://msdn.microsoft.com/en-us/library/ms972958.aspx (not have given a close look and lacks a clear sumary of what it is about IMO ;-)
Is this really FB you'll use ? If i step back a bit it seems you definitely looks at using single sign on. Try
If the need is just to have a nicer login page I don't see what prevents to just create a nice landing page. Then the user could click a link (or I was thinking about a iframe pointing to a windows authenticated page) to show the usual dialog box as a popup
and still allow to see the landing page. Strictly speaking I don't think you can handle this as NTLM requires a complex exchange between the server and the client so the browser has to handle this himself.
Else it seems it could be a bigger project moving all this stuff from a windows integrated authentication to a claim based authentication. I believe in this case you do something such as : authenticatino happens on a site, the second site doesn't deal with
authentication but trust the other sites about telling who is the user (external users could even use their own company account). Then I believe also this claim token can be translated back to a windows token... Try to search for "claim authentication"/ADFS.
(and the "organization accounts" section in the link above).
Feb 14, 2014 07:31 AM|Willgart|LINK
does SSO is able to do kerberos delegation and impersonation?
its the key point for us.
we have to insure that the user is correctly secured when accessing back data stored in OLAP cube. and this is done for us using the Kerberos delegation
Feb 14, 2014 08:00 AM|PatriceSc|LINK
It seems you can convert claims to Kerberos :
At this point an MSDN forum about Windows Server might be better..
Feb 17, 2014 09:36 AM|Willgart|LINK
yes, its possible to convert claims to windows, but this works only with windows authentication or basic authentication. Forms based authentication not supported (at least using the Sharepoint LDAP provider).
but because I'm also using 3rd party applications I cant use this. I still need the usage of the windows authentication or basic authentication...