NTLM SSO Problems

Picture of Mark Gamache
Re: NTLM SSO Problems

windows integrated auth has a couple of intereting gotchas realted to both authenticaion and authroization.

First, IE will not perfom SSO unless the site falls properly into either the intranet zone or the trusted sites list.  THEN, whichever of the two it falls into, the SSO options has to be set.  Each zone has predfined levels of secure, such as Hihg, Med, Low, as well as the custom option.  Which ever you pick, the granual option, near the bottom of that huge list, 'Automatic logon with current user name and password' must be picked.

I can't recal which level does that.  I usualy go custom to be sure.  At taht point the borwser will be willing to do the auth.

Second part is the server side.  When you turn on integrated auth, the user's browser authetnicates the user to the server and now, the user's access to the server occurs in that user's security context.  This means that access to the file system, you php, asp, aspx, html files, must be granted to the user in the windes securty tab.  Usualy we assign the Users group read access to the top folder in your site.  THis can be mildly complicated by app servers, as some actions do occur in the securty context of the appPool account.  If things get ugly, you have to turn on failure audting in local securty policy and reboot.  Then turn on auditing in the file system at the top of your site structure.  Then the event logs who what object cant be opened.  Good luck.  This is a combonation of a few diffent disciplines, haveing little to do with your code, expcet for the part where it tanks it.  tongueout

Average of ratings: -