iis security: Hi, i have a group of websites written in asp and hosted using IIS5.1 in
Windows 2000 server. These websites are all set as "Basic Authentication",
all the users are NT domain users.

The problem is that user have to type in their domain userid/password
several times in order to access all the information from all the websites.

The question is that beside let the user add all the websites into trust
websites, is there a way to let these sites trust each other? When user logs
in to any of the website, it will automatically log into the rest sites as
well?

Hi,

This scenario requires these web sites trust each other. This is to say,
these sites should be included in one domain foreast and each domain trust
each other. However, as I know, it is not easy if these sites don't belong
to one company because we will need to use one client credential facing
different service provider box. Furthermore, there are othertwo solutions
for us:

One method is to write one client browser to automatically logon user into
the sites. However, this will require a long time on development and test.

Another way is: Windows XP provides one stored user name and password
service to record the user name and password for one site. This way, after
the customer visits a site, his credential will be saved in Windows XP. In
the later acessing, IE will automatically logon into the site for the user,
there is no need to manually type the credential.

We have two methods to set this:
1. when visit the site at the first time, the logon dialog will pop up.
Please input the username and password with setting the select box "Save
..." under the password input textbox. Then your username and password will
be stored into the WindowsXP.

2. We could manually set them at the client site. This "Save user name and
password" feature is available from:
control panel->User Accounts->Advanced Tab->Manage Passwords

Then the dialog "Stored user names and password" will pop up. All saved
credentials with the urls are listed there. At the add dialog by clicking
the button "Add", we could input the user name and password with the
corresponding server url.

Please feel free to let me know if you have any further question on this
matter.

Best Regards,
Wei-Dong XU
Microsoft Product Support Services
This posting is provided "AS IS" with no warranties, and confers no rights.
It is my pleasure to be of assistance.

Basically, you achieve SSO behavior by either:
1. Client-side SSO: Web browser auto-logins to various websites using same
credential (hard because this is non-standard behavior)
2. Server-side SSO: Use authentication protocol and server configuration
that supports SSO

Your current authentication protocol and server configuration does not
support SSO. You have two choices:
1. You can fake it by writing code on the server to implement "SSO-like
behavior", but it is really not going to be secure since you are using Basic
Authentication, which implicitly delegates user credentials to the server
(I'm not even talking about the plain-text password that is encrypted with
SSL -- I'm talking about the fact that the server has your user credentials
and can do stuff with them that you do not authorize, such as withdraw money
from your bank account).
2. Use open, standards-based support for SSO, like Kerberos+Active Directory
which take care of a lot of other security issues you haven't even thought
of.


In short, SSO cannot happen unless the servers trust each other, and that
happens either with Windows Domain + Kerberos, or you write your own custom
version of Domain+Kerberos to establish the "trust" ad-hoc, but your version
will most likely have shortcuts and security vulnerabilities that you do not
know about.

Here are some blog entries that explain what is going on:
http://blogs.msdn.com/david.wang/archive/2005/07/06/SSO_ISAPI_Considerations_2.aspx
http://blogs.msdn.com/david.wang/archive/2005/08/29/HOWTO_Protect_non_dotNET_content.aspx


--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
Hi, i have a group of websites written in asp and hosted using IIS5.1 in
Windows 2000 server. These websites are all set as "Basic Authentication",
all the users are NT domain users.

The problem is that user have to type in their domain userid/password
several times in order to access all the information from all the websites.

The question is that beside let the user add all the websites into trust
websites, is there a way to let these sites trust each other? When user logs
in to any of the website, it will automatically log into the rest sites as
well?
Thanks