|
|
|
date: Wed, 25 Jan 2006 16:59:50 -0800,
group: microsoft.public.platformsdk.internet.server.isapi-dev
back
Re: Can CustomAuth be shared across multiple sites?
Thanks for the response but I'm a little confused.
In the article you linked to on your blog the question states:
"In this environment we have multiple Microsoft web applications such as
Share Point server, Great Plains server and several other applications,
which include homegrown systems as well as third-party web applications
hosted on Sun and Microsoft platforms. All these applications hosted in DMZ.
All applications are hosted in the same internet DNS domain so cookies can
be shared across web application . if required."
This sounds exactly like what I'm looking for. Perhaps I didn't make it
clear that Site A and Site B are on servers within the same domain hosted in
our DMZ.
Is the following possible?
-CustomAuth prompts the user for their username and password.
-After successfully logging in, the user information is held in a cookie.
-When user attempts to go to another site configured to use CustomAuth and
hosted on another server within the same domain, the information stored in
the cookie is read and the user is not prompted to login.
Also, is possible to configure CustomAuth to where if the user closes and
re-opens their browser and navigates back to the site where they were
authenticated previously CustomAuth reads the existing cookie and does not
prompt?
Thanks again.
"David Wang [Msft]" wrote in message
news:urbZPSkIGHA.3192@TK2MSFTNGP10.phx.gbl...
> Why should Site A be able to set a cookie which supplies security settings
> to Site B... when Site A and site B have no trust relationship. This is
> the fundamental security issue that you must understand and resolve. The
> fact that two servers use CustomAuth says nothing about their trust
> relationship regarding data passed in between them.
>
> http://blogs.msdn.com/david.wang/archive/2005/07/06/SSO_ISAPI_Considerations_2.aspx
>
> You can invent your own custom protocol to have multiple entities trust an
> authenticated principle. CustomAuth has nothing to do with that
> protocol -- from a protocol perspective, you can treat CustomAuth like
> Basic Authentication where you can customize the form that gathers the
> username/password.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
>
> "Steven Richardson" wrote in message
> news:Ob%23M5OhIGHA.524@TK2MSFTNGP09.phx.gbl...
>> The scenario being:
>>
>> A user navigates to site A (which is configured to use the CustomAuth
>> authentication) is prompted and logs in.
>>
>> Can a user then navigate to site B, which may be on a different server
>> but also configured to use CustomAuth Authentication, and because they
>> have already logged in on site A, they will not be prompted to login
>> again?
>>
>> Is there also a way to automatically authenticate them if they've logged
>> in previously? From playing around with CustomAuth, it appears that I'm
>> required to login again if I close my browser and reopen it to the same
>> site. I've read some comments from other forums and they mention
>> persistent cookies might be a solution. Does anyone have any details on
>> how to accomplish this?
>>
>>
>>
>
>
date: Thu, 26 Jan 2006 11:06:19 -0800
author: Steven Richardson
|
|
