tags:

views:

41

answers:

2

Has anyone managed to achieve this?

Application should work like this:

  • App admin can add AD users
  • App admin can define users not from AD
  • If user is added from AD and trying to access to application from same AD - application should log him in automatically (single sign on).
  • If user is not from AD, or not added as application user - application login form is displayed

Just to mention, I managed to achieve this on IIS6. I have read several techniques so far with IIS 7 and 7.5 involved, but it seems none of them really works when deployed on production server.

So far I have 2 separate web applications. One web application is configured with forms authentication - this one is main. Other is configured as windows authentication.

So idea is, user tries to acces to main application, this one redirects him to the other application which tries to extract his domain username (NTLM), and redirects him back to main application. Main application tries to log him in as AD user, if this fails forms login is displayed. If AD user is added as application user (using separate admin module of application), he should be authenticated automatically, meaning no IIS login prompt should be displayed.

These two applications are running in same application pool. Also they are both in integrated pipeline mode.

This works if I set it up on my development win7 IIS, but when I deploy application on win 2008 server with IIS 7.5 - it's not working. I keep getting IIS login prompt. If I enter my credentials to IIS login prompt it will eventually log me into application.

Has anyone has similar issue and hopefully solved it?

A: 

Please update the question with the info you have provided.

As I understand, these two applications are in the same app pool and I believe you need to separate them into two app pools.

Aliostad
A: 

Progress update - this authentication works now as expected (I didn't have to split app pools). Problem was that on machine accessing application, app server hasto be registered as Local intranet. This is a must in order to IE sends credentials to server.

buhtla