tags:

views:

1426

answers:

2
+3  Q: 

How to authenticate users on one site and pass credentials to other site? ( Windows Authentication, ASP.Net)

Hi, We have multiple web-applications running Windows authentication.
Users log on to the websites using Domain\Username which is different from the DomainOther\UsernameOther that they use on their local computers.
Considering we have 2 sites One.xyz.com and Two.xyz.com both running Windows Authentication (and user logs in to both using Domain\Username), is it possible to have theuser redirect from a page on One.xyz.com to the homepage of Two.xyz.com without entering his credentials again once he has already entered them on One.xyz.com?
Is it possible to do this using ASP.Net?

Kind regards,

A: 

SharePoint supports SPNEGO authentication, a form of single sign-on. MSDN has documentation for using SPNEGO for single-sign on .net. Look at the Microsoft Security SSPI. I found this sample with a quick search.

SPNEGO is a Microsoft variation of Kerberos and it will interoperate with IBM products and Oracle WebLogic, as well.

If you want single-sign using an international standard that has wider interoperability than Kerberos, you should use SAML. See Active Directory Fedration for a Microsoft discussion of SAML. However, SAML is much more complicated to implement and configure.

David G  2009-01-01 14:21:07
So how do I pass credentials from one site to another when both sites are using windows authentication.
SharePoint Newbie  2009-01-01 14:24:28
That's part of the SPNEGO protocol. It defines how a Kerberos ticket is passed.
David G  2009-01-01 14:29:32
If you use .net, the SSPI will handle the token passing.
David G  2009-01-01 14:30:41
I rephrased the question, both these sites are SharePoint sites and they show the standar Username/password popup.
SharePoint Newbie  2009-01-01 14:45:04
+1  A: 

What you are looking for is called Single Sign-On and there are a broad variety of commercial products capable of supporting your needs. Many of them pass credentials via server variables over HTTPS so that the users doesn't see the credentials in the URL. I've worked with companies that wanted to "roll their own" and who went for other approaches (session keys that reference a third server, encrypted and time-sensitive URL strings, etc.).

To get started, you'll want to read the Wikipedia entry on single sign-on (it links with SAML as well). You may want to visit some of the more popular commercial vendors' websites such as Passlogix and Imprivata as well (there are dozens, though, so don't take this list as exhaustive or even particularly recommended - just popular).

Mark Brittingham  2009-01-01 15:23:39

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps