views:

252

answers:

2

Hi all.

Hope this is the right place to be asking this, so my apologies if it isn't.

I have written a number of web applications which use Windows authentication to allow uer access. The only problem is that we have 2 domains at work, one called student.local and one called staff.local. All of the servers sit on the staff.local domain. When a user tries to enter the application from student.local, they get the standard Windows network login prompt as credentials are not passed between student.local and staff.local. I would like to be able to either...

Find some way to authenticate the user's student.local credentials against staff.local, as the user should have accounts on both which, theoretically, should have idential username/password.

OR

Instead of the network prompt, pop up a more friendly login page for the user to login to. This should only display is the user is coming from student.local. If they are coming from staff.local, they should be automatically authenticated against the domain and allowed access to the application.

+1  A: 

This is most likely caused by the security set up in Internet Explorer. You need to make sure that student.local AND staff.local are both recognized as being in the "Intranet Zone", and that your security settings for that zone is set to authenticate with the current user's name and password (it is the last setting in the list for your zone-specific security settings).

Take a look at when you are getting prompted to go to a staff.local website. Look at the bottom-right corner of the browser. Does it say "Internet Zone" or "Intranet Zone"? If it says "Internet Zone", then that's likely what you're running into. I can't be too much more specific, since in order to tell you exactly where to click, I'd have to be running IE (I'm on a mac right now)

Dave Markle
I will check this out on Monday. I was told by our IT department (and I am merely repeating here as I do not know alot about AD), that authentication credentials are not passed between a machine on student.local and a web server on staff.local. Apparently this is something to do with the set up of the domains and is for security purposes to prevent students from gaining access to staff-only servers.
hermiod
It IS possible that you could have a Group Policy object put in place by your IT department that would tell the browser not to forward credentials to anything other than student.local for student machines. IMO this is ridiculous, but then again, most IT departments have people who don't know what they're doing running the show. Good luck and godspeed.
Dave Markle
+1  A: 

How are the accounts set up on the domains? Users shouldn't have more than one account. Either the account is on the staff domain or the student domain. If you need to authenticate a student account on a staff server, you need to ensure that your domains are in the same forest. If they aren't in the same forest, you need to set up a trust between the forests.

Jesse Weigert
This is a problem with the setup of our domains. When a member of staff joins the company, they are set up with accounts on both the student and staff domains. The accounts have identical usernames and initially have the same default password, but from this point on they are both completely separate. They can have separate passwords and separate permissions, etc. Following the account creation, the two accounts have nothing to do with each other.
hermiod
Whooooooa..... Then that changes *my* answer. If there's no trust relationship and your IT department is duplicating logins and doesn't grant access across the domains, you are painted into a corner and can't do anything. Sorry.
Dave Markle
I was afraid you were going to say that! That's what IT have been saying but I'm a stubborn mule sometimes. Unfortunately, it's just a legacy of the old management (both company-wide management and IT management) where the staff just weren't given the training, time, or resources to do things properly. Now that we've started making quite heavy use of web applications, this has really come back to bite us in the arse!Thanks for your reply. I will mark you as the answer...even though it was the answer I was dreading :-)
hermiod