Hello Tom,

Thanks for posting in the group.

From the decription, I think you are developing an asp.net web application.
Please post here if I have any misunderstandings.

Firstly, let us see why you got that login dialog. Firstly, when we log in
to a domain when in windows login screen, we got a credential. When we
visit network resources, windows will use this credential to authenticate
us. However, if we want to visit a resource which doesn't allow this
credential, it will pop up a dialog for us to enter a valid account. That
is why we got this dialog. Under this situation, we could see that the
problem here is that the credential that we have doesn't pass the
authentication, not having no credential. So passing credentials from one
domain to another is not a question, I think Windows could do it for us
correctly. (You could post in windows 2000 group to verify it) The key is
that your credential is not admitted in another domain. We may need to
setup domain trust to enable it. (need to be tested)

On my opinion, I strongly recommend you use Form based authentication to
enable Single sing on on your web app. If it is used in Internet, you could
also use Passport authentication mode.

For more details, please refer to
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconaspnetauthenticati
on.asp?frame=true.

Hope that helps.

Best regards,
Yanhong Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
!Content-Class: urn:content-classes:message
!From: "Tom" <dariatj@fhlbcin.com>
!Sender: "Tom" <dariatj@fhlbcin.com>
!Subject: Single Sign On
!Date: Sat, 30 Aug 2003 13:43:34 -0700
!Lines: 33
!Message-ID: <012a01c36f37$613d2f30$a501280a@phx.gbl>
!MIME-Version: 1.0
!Content-Type: text/plain;
! charset="iso-8859-1"
!Content-Transfer-Encoding: 7bit
!X-Newsreader: Microsoft CDO for Windows 2000
!Thread-Index: AcNvN2E9eOSB2iPtTpKEGzUXkWSErg==
!X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
!Newsgroups:
microsoft.public.vsnet.general,microsoft.public.dotnet.languages.csharp
!Path: cpmsftngxa06.phx.gbl
!Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:181055
microsoft.public.vsnet.general:11992
!NNTP-Posting-Host: TK2MSFTNGXA13 10.40.1.165
!X-Tomcat-NG: microsoft.public.vsnet.general
!
!I am trying to establish an infrastructure whereby I want
!only one login screen for my .net application users.
!
!
!In my experience, if the user's domain is different than
!the application domain, the user is presented with the
!Windows login screen a second time.
!
!Is it possible for the browser to pass credentials from
!one domain to the next?
!
!If so, can anyone assist?
!
!Tom
!
!Real life example:
!Employee turns his PC on and logs on to the network by
!entering in his user id, password and domain.
!
!Now my user launches a browser and navigates to the base
!site he is presented with a login screen. Note: The base
!site is used to gain access to all other applications.
!
!Now if the domain is the same as the application domain,
!then when my user logins in he is able to navigate to all
!other secure web sites without entering any more
!credentials.
!
!But if my user's domain is different than the
!application's domain, when he tries navigating to one of
!these sites, he is presented with the Windows logon screen.
!
!
!

Hi Tom,

You could also refer to the doc file linked in this page:
http://www.microsoft.com/windows2000/techinfo/howitworks/security/sso.asp

Thanks.

Best regards,
Yanhong Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
!Content-Class: urn:content-classes:message
!From: "Tom" <dariatj@fhlbcin.com>
!Sender: "Tom" <dariatj@fhlbcin.com>
!Subject: Single Sign On
!Date: Sat, 30 Aug 2003 13:43:34 -0700
!Lines: 33
!Message-ID: <012a01c36f37$613d2f30$a501280a@phx.gbl>
!MIME-Version: 1.0
!Content-Type: text/plain;
! charset="iso-8859-1"
!Content-Transfer-Encoding: 7bit
!X-Newsreader: Microsoft CDO for Windows 2000
!Thread-Index: AcNvN2E9eOSB2iPtTpKEGzUXkWSErg==
!X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
!Newsgroups:
microsoft.public.vsnet.general,microsoft.public.dotnet.languages.csharp
!Path: cpmsftngxa06.phx.gbl
!Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:181055
microsoft.public.vsnet.general:11992
!NNTP-Posting-Host: TK2MSFTNGXA13 10.40.1.165
!X-Tomcat-NG: microsoft.public.vsnet.general
!
!I am trying to establish an infrastructure whereby I want
!only one login screen for my .net application users.
!
!
!In my experience, if the user's domain is different than
!the application domain, the user is presented with the
!Windows login screen a second time.
!
!Is it possible for the browser to pass credentials from
!one domain to the next?
!
!If so, can anyone assist?
!
!Tom
!
!Real life example:
!Employee turns his PC on and logs on to the network by
!entering in his user id, password and domain.
!
!Now my user launches a browser and navigates to the base
!site he is presented with a login screen. Note: The base
!site is used to gain access to all other applications.
!
!Now if the domain is the same as the application domain,
!then when my user logins in he is able to navigate to all
!other secure web sites without entering any more
!credentials.
!
!But if my user's domain is different than the
!application's domain, when he tries navigating to one of
!these sites, he is presented with the Windows logon screen.
!
!
!

Hi Tom,

Thanks for the quick response.

Surely in the same domain you won't meet it since your user name and pass
is authenticated already. If access another domain, your existing username
and password is not acknowledged by them. So they pop up a dialog to let
you in put a valid credential. As I mentioned, you may need to set up trust
domain relationship to resolve it.

For Windows2K forum, you may try:
http://support.microsoft.com/newsgroups/default.aspx?NewsGroup=microsoft.pub
lic.win2000.active_directory&SLCID=US&ICP=GSS3&sd=GN&id=fh;en-us;newsgroups
or
http://support.microsoft.com/newsgroups/default.aspx?NewsGroup=microsoft.pub
lic.win2000.security&SLCID=US&ICP=GSS3&sd=GN&id=fh;en-us;newsgroups

However, they are not MSDN managed groups. You could get help from peers in
the group.

Please post here if you have follow up questions.

Best regards,
Yanhong Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
!Content-Class: urn:content-classes:message
!From: "Tom" <dariatj@fhlbcin.com>
!Sender: "Tom" <dariatj@fhlbcin.com>
!References: <012a01c36f37$613d2f30$a501280a@phx.gbl>
<CHnbmtFcDHA.460@cpmsftngxa06.phx.gbl>
!Subject: RE: Single Sign On
!Date: Mon, 1 Sep 2003 04:34:06 -0700
!Lines: 140
!Message-ID: <066201c3707c$f3ebd340$a401280a@phx.gbl>
!MIME-Version: 1.0
!Content-Type: text/plain;
! charset="iso-8859-1"
!Content-Transfer-Encoding: 7bit
!X-Newsreader: Microsoft CDO for Windows 2000
!Thread-Index: AcNwfPPrxRkWLuodST2YOeP05dntwg==
!X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
!Newsgroups: microsoft.public.vsnet.general
!Path: cpmsftngxa06.phx.gbl
!Xref: cpmsftngxa06.phx.gbl microsoft.public.vsnet.general:12036
!NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
!X-Tomcat-NG: microsoft.public.vsnet.general
!
!Dear Yanhong Huang
!
!First, thanks for your reply.
!
!But actually, that is the problem. If I come from domain
!A to doamin B I am prsented with the Windows Dialog a
!second time. But if I am in the same domain, I am not.
!
!Can you send me the url to the Windows 2K forum so I can
!post my question there.
!
!Thanks
!
!Tom
!
!PS I think you are right about Forms Authentication. But
!how can I save credentials from one domain to the next as
!session variables don't cross domains or web servers?
!
!
!>-----Original Message-----
!>Hello Tom,
!>
!>Thanks for posting in the group.
!>
!>From the decription, I think you are developing an
!asp.net web application.
!>Please post here if I have any misunderstandings.
!>
!>Firstly, let us see why you got that login dialog.
!Firstly, when we log in
!>to a domain when in windows login screen, we got a
!credential. When we
!>visit network resources, windows will use this credential
!to authenticate
!>us. However, if we want to visit a resource which doesn't
!allow this
!>credential, it will pop up a dialog for us to enter a
!valid account. That
!>is why we got this dialog. Under this situation, we could
!see that the
!>problem here is that the credential that we have doesn't
!pass the
!>authentication, not having no credential. So passing
!credentials from one
!>domain to another is not a question, I think Windows
!could do it for us
!>correctly. (You could post in windows 2000 group to
!verify it) The key is
!>that your credential is not admitted in another domain.
!We may need to
!>setup domain trust to enable it. (need to be tested)
!>
!>On my opinion, I strongly recommend you use Form based
!authentication to
!>enable Single sing on on your web app. If it is used in
!Internet, you could
!>also use Passport authentication mode.
!>
!>For more details, please refer to
!>http://msdn.microsoft.com/library/en-
!us/cpguide/html/cpconaspnetauthenticati
!>on.asp?frame=true.
!>
!>Hope that helps.
!>
!>Best regards,
!>Yanhong Huang
!>Microsoft Online Partner Support
!>
!>Get Secure! - www.microsoft.com/security
!>This posting is provided "AS IS" with no warranties, and
!confers no rights.
!>
!>--------------------
!>!Content-Class: urn:content-classes:message
!>!From: "Tom" <dariatj@fhlbcin.com>
!>!Sender: "Tom" <dariatj@fhlbcin.com>
!>!Subject: Single Sign On
!>!Date: Sat, 30 Aug 2003 13:43:34 -0700
!>!Lines: 33
!>!Message-ID: <012a01c36f37$613d2f30$a501280a@phx.gbl>
!>!MIME-Version: 1.0
!>!Content-Type: text/plain;
!>! charset="iso-8859-1"
!>!Content-Transfer-Encoding: 7bit
!>!X-Newsreader: Microsoft CDO for Windows 2000
!>!Thread-Index: AcNvN2E9eOSB2iPtTpKEGzUXkWSErg==
!>!X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
!>!Newsgroups:
!>microsoft.public.vsnet.general,microsoft.public.dotnet.lan
!guages.csharp
!>!Path: cpmsftngxa06.phx.gbl
!>!Xref: cpmsftngxa06.phx.gbl
!microsoft.public.dotnet.languages.csharp:181055
!>microsoft.public.vsnet.general:11992
!>!NNTP-Posting-Host: TK2MSFTNGXA13 10.40.1.165
!>!X-Tomcat-NG: microsoft.public.vsnet.general
!>!
!>!I am trying to establish an infrastructure whereby I
!want
!>!only one login screen for my .net application users.
!>!
!>!
!>!In my experience, if the user's domain is different than
!>!the application domain, the user is presented with the
!>!Windows login screen a second time.
!>!
!>!Is it possible for the browser to pass credentials from
!>!one domain to the next?
!>!
!>!If so, can anyone assist?
!>!
!>!Tom
!>!
!>!Real life example:
!>!Employee turns his PC on and logs on to the network by
!>!entering in his user id, password and domain.
!>!
!>!Now my user launches a browser and navigates to the base
!>!site he is presented with a login screen. Note: The
!base
!>!site is used to gain access to all other applications.
!>!
!>!Now if the domain is the same as the application domain,
!>!then when my user logins in he is able to navigate to
!all
!>!other secure web sites without entering any more
!>!credentials.
!>!
!>!But if my user's domain is different than the
!>!application's domain, when he tries navigating to one of
!>!these sites, he is presented with the Windows logon
!screen.
!>!
!>!
!>!
!>
!>.
!>
!