tags:

views:

23

answers:

2
Q: 

IIS6 SSL Config - Have to log in twice (once for :80, once for :443)

I have a virtual folder containing an administration application, like

https://www.mysite.com/alpha

which requires SSL. In the IIS manager properties for the folder, under "Authentication and access control", Anonymous Access is disabled and "Authenticated Access" is set to "Integrated Windows authentication."

When I connect to the site in Chrome, I receive two login boxes. The first is from mysite.com/alpha:443, and the second is from mysite.com/alpha:80. Firefox appears to re-send my credentials for the second box so it is never shown.

Any ideas why I'd be required to log in twice?

A: 

Yep,

The one uses SSL, the other not. therefore, you are not allowed to share the credential cache from a Secure session, with the one of the unsecure session.

if you require SSL, then directly redirect the users to the SSL website.

cRichter  2010-07-08 16:20:36
"One but not the other" what? The entire folder requires authentication.
David Lively  2010-07-08 16:51:35
+1  A: 

If you require SSL for authenticated users on your website (for any reason), then the best solution is to always have your "Login" page on https://. That way when they log in, they are instantly secure. The reason for this is because of the native design of SSL. It separates/secures it's self from the non secure version by not passing authentication states between http and https.

you will also have to write some logic to redirect returning authenticated visitors to the secure page (IE: visitors who can return authenticated from a cookie).

EDIT:

Since your using windows authentication, it's probably easiest to simply redirect ALL incoming http traffic to https. This means your entire site will be over SSL and will be inaccessible via http (other than to redirect to https)

I wrote a Blog Post on forcing a website to use WWW in the web address, but it can also be ported to forcing https.

rockinthesixstring  2010-07-08 16:22:43
Since I'm not using forms authentication, I'm not sure what you mean by "login page." ?
David Lively  2010-07-08 16:38:48
ah if you're using windows authentication, then the easiest thing to do would be to redirect all unsecure traffic to the secure page. See my edit
rockinthesixstring  2010-07-08 16:52:51

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps