Announcement

Collapse
No announcement yet.

Single Sign On solution on Windows Server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Single Sign On solution on Windows Server

    Hello everyone,

    My current user credentials are stored in Active Directory database, and my current users and computers are not in a windows domain for historical reasons. It is also not possible to enforce all users and machines to use Windows domain authentication since some users are from internet not intranet (you can not let an internet user to join a domain when accessing some web site).

    My question is in such situation, if almost all of the web servers are IIS server, are there any products or solutions provided by Windows Server?

    thanks in advance,
    George

  • #2
    Re: Single Sign On solution on Windows Server

    ISA 2006 provides SSO when publishing with the same listener.
    However I pretty sure it won't work with local users. This because every local IIS server has is own SAM database.

    However, you can create useraccounts in AD and tell the users; from now on you use this account to logon?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Single Sign On solution on Windows Server

      Thanks Marcel,

      1.

      Currently, my situation is all IIS server will use a single set of username/password to login, not separate sets of username/password. And all username/password are stored in Active Directory.

      In this situation, does ISA server meet my needs?

      2.

      What do you mean "publishing with the same listener" and "won't work with local users. This because every local IIS server has is own SAM database"?

      Originally posted by Dumber View Post
      ISA 2006 provides SSO when publishing with the same listener.
      However I pretty sure it won't work with local users. This because every local IIS server has is own SAM database.

      However, you can create useraccounts in AD and tell the users; from now on you use this account to logon?
      regards,
      George

      Comment


      • #4
        Re: Single Sign On solution on Windows Server

        Well every user on every IIS server is different, although the username and password might to seems correct.
        So ISA will check the username on the defined IIS server. The user is different (think about SSIDs ) and ISA will prompt to re-authenticate.

        When you use users in a Domain Environment the SSIDs will be the same for that user so SSO can be configured.

        Have a read on this;
        Publishing Concepts in ISA Server 2006
        Lab Scenario 2: Configuring SSO Using ISA Server 2006
        Authentication in ISA Server 2006
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Single Sign On solution on Windows Server

          Thanks Dumber,

          I like the documents you recommended. Actually I am new to ISA and after reading through the document you recommended, seems ISA server is what I am looking for.

          Two further questions,

          1. Is there a step by step guide to integrate ISA with Active Directory and IIS? From your recommended documents, there is no step by step guide;

          2. Are there any way to integrate ISA with Apache server?

          Originally posted by Dumber View Post
          Well every user on every IIS server is different, although the username and password might to seems correct.
          So ISA will check the username on the defined IIS server. The user is different (think about SSIDs ) and ISA will prompt to re-authenticate.

          When you use users in a Domain Environment the SSIDs will be the same for that user so SSO can be configured.

          Have a read on this;
          Publishing Concepts in ISA Server 2006
          Lab Scenario 2: Configuring SSO Using ISA Server 2006
          Authentication in ISA Server 2006
          regards,
          George

          Comment


          • #6
            Re: Single Sign On solution on Windows Server

            ISA is a firewall and not a webserver so I see no use with Apache?
            However it can publish Apache just like you would like to publish IIS.

            When ISA is member of the domain, it can use AD for example the users/groups.

            However I'm not sure what your definition is for integrating so you might explain a bit more.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Single Sign On solution on Windows Server

              Thanks Dumber,

              1.

              My situation and requirements are,

              - I have 90% web sites using IIS and 10% using Apache;
              - Currently I provide the web sites only for school internal use and now I want to extend the reach to make the web sites reachable by internet users;
              - Previous all web sites have their own user name and password stored in web site specific database -- i.e. one site has an individual user name/password database;
              - Now I want to merge all username and password into one Active Directory database (this step is almost done);
              - since I want to provide to internet users, I can not use Windows domain based authentication (internet user can not join domain);
              - I want to provide SSO to internet users, which login to one of the web sites once using username/password stored in Active Directory and for other web sites, the user does not need to enter username/password again.

              Do you think ISA is suitable for my situation?

              2.

              Previously, I am also considering using Windows domain based authentication, but since internet user can not join the same Windows domain, I think Windows domain based authentication is not suitable for me? Any comments about whether we could use Windows domain based authentication for internet users?

              Originally posted by Dumber View Post
              ISA is a firewall and not a webserver so I see no use with Apache?
              However it can publish Apache just like you would like to publish IIS.

              When ISA is member of the domain, it can use AD for example the users/groups.

              However I'm not sure what your definition is for integrating so you might explain a bit more.
              regards,
              George

              Comment


              • #8
                Re: Single Sign On solution on Windows Server

                You are talking about the Internet user? What is that? Do you mean the IUSR_x account?
                Well in that case no problem.
                ISA or IAG/UAG might fit your needs.
                ISA is a firewall and proxy and it's ment for publishing and outbound security.
                IAG/UAG (I believe UAG is rtm right now) is for publishing only.
                http://www.microsoft.com/forefront/e...s/default.aspx
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Single Sign On solution on Windows Server

                  Thanks Dumber,

                  Originally posted by Dumber View Post
                  You are talking about the Internet user? What is that? Do you mean the IUSR_x account?
                  Well in that case no problem.
                  ISA or IAG/UAG might fit your needs.
                  ISA is a firewall and proxy and it's ment for publishing and outbound security.
                  IAG/UAG (I believe UAG is rtm right now) is for publishing only.
                  http://www.microsoft.com/forefront/e...s/default.aspx
                  1. My current situation is, the school has an internal network and has some internal web sites. I want to publish the web site to external users. Previous the internal web sites could only be accessed by school internal accounts and from school internal. When publish all of the web sites, I could let external user to register and use the web sites. This is what I mean internet users;

                  2. I read IAG (I think you mean Intelligent Application Gateway?). Is it just a new name for ISA? But what is UAG? I did not find it in the page you recommended.

                  3. Could IAG be used for publishing Apache server? Suppose the Apache server is using the same Active Directory which is shared by other IIS servers.

                  regards,
                  George

                  Comment


                  • #10
                    Re: Single Sign On solution on Windows Server

                    Again, Apache is just a webserver just like IIS is.
                    Nothing more... IIS is from Microsoft, Apache is open source.

                    UAG will be the next IAG. UAG is probably released in the first half of 2009.
                    http://www.microsoft.com/forefront/p...admap/uag.mspx
                    Both are used for publishing only.
                    ISA is for publishing, but also as a Firewall and will function as a Proxy server.

                    However, due to all the questions you're asking I would recommend to hire someone.
                    He/She can oversee your current situation what I might missed because I'm here.
                    We didn't even talk about how the "internet users" are created, what your current firewall is, how many sites you got, how many public ip adresses you have etcetc.

                    As an addition you might check out the guided virtual labs to get an idea of the products (scroll down to Forefront Edge Security)
                    http://technet.microsoft.com/en-us/f.../bb499665.aspx
                    Last edited by Dumber; 5th December 2008, 10:16.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Single Sign On solution on Windows Server

                      Hi Dumber,

                      1.

                      My concern is I have not found any documents about how to publish Apache server. Do you have any document to refer me to read?

                      2.

                      Could I understand ISA is the most powerful product (publishing/firewall/proxy), and IAG/UAG is just a subset of its function -- publishing? My concern is,

                      - whether IAG/UAG is just a subset part of installation of ISA (share the same codebase)?
                      - or it is a new product with the sub-function of ISA server?

                      Originally posted by Dumber View Post
                      Again, Apache is just a webserver just like IIS is.
                      Nothing more... IIS is from Microsoft, Apache is open source.

                      UAG will be the next IAG. UAG is probably released in the first half of 2009.
                      http://www.microsoft.com/forefront/p...admap/uag.mspx
                      Both are used for publishing only.
                      ISA is for publishing, but also as a Firewall and will function as a Proxy server.

                      However, due to all the questions you're asking I would recommend to hire someone.
                      He/She can oversee your current situation what I might missed because I'm here.
                      We didn't even talk about how the "internet users" are created, what your current firewall is, how many sites you got, how many public ip adresses you have etcetc.

                      As an addition you might check out the guided virtual labs to get an idea of the products (scroll down to Forefront Edge Security)
                      http://technet.microsoft.com/en-us/f.../bb499665.aspx
                      regards,
                      George

                      Comment


                      • #12
                        Re: Single Sign On solution on Windows Server

                        1)
                        With ISA you publish a webserver.
                        It doesn't matter if in the back is an IIS, an Apache, Athana, Bauk HTTP, Cherokee or what ever.
                        You just allow http to a specific website.

                        However, authentication might become an issue so that's why you should hire someone.
                        This person can see your current environment and have a face to face talk with you to select the best options.
                        He might even suggest to remove Apache and run the website on IIS.

                        2)
                        It depends what your goal is.
                        If it's only publishing and nothing else (and not in the future) IAG/UAG is the way to go.
                        However, if you need also a proxy and a Firewall ISA is the product to go.
                        I can't oversee from here what the fully requirements are.

                        I don't know if IAG/UAG is a shares the same coding as what ISA does. I'm not a developer and I don't have access to the source codes
                        Marcel
                        Technical Consultant
                        Netherlands
                        http://www.phetios.com
                        http://blog.nessus.nl

                        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                        "No matter how secure, there is always the human factor."

                        "Enjoy life today, tomorrow may never come."
                        "If you're going through hell, keep going. ~Winston Churchill"

                        Comment


                        • #13
                          Re: Single Sign On solution on Windows Server

                          Thanks Dumber,

                          I like your suggestion. But before I seek for help from other people, I think I want to make it clear the overall picture of a product and the general usage scenario.

                          I really care about authentication -- actually it is my No. 1 purpose. Suppose I have 2 IIS servers and 1 Apache Server. I am not sure whether ISA could support SSO for IIS and Apache together without any coding efforts or minmal coding efforts?

                          Originally posted by Dumber View Post
                          1)
                          With ISA you publish a webserver.
                          It doesn't matter if in the back is an IIS, an Apache, Athana, Bauk HTTP, Cherokee or what ever.
                          You just allow http to a specific website.

                          However, authentication might become an issue so that's why you should hire someone.
                          This person can see your current environment and have a face to face talk with you to select the best options.
                          He might even suggest to remove Apache and run the website on IIS.

                          2)
                          It depends what your goal is.
                          If it's only publishing and nothing else (and not in the future) IAG/UAG is the way to go.
                          However, if you need also a proxy and a Firewall ISA is the product to go.
                          I can't oversee from here what the fully requirements are.

                          I don't know if IAG/UAG is a shares the same coding as what ISA does. I'm not a developer and I don't have access to the source codes
                          regards,
                          George

                          Comment


                          • #14
                            Re: Single Sign On solution on Windows Server

                            SSO is handled by the listener on the ISA server...
                            It's written here in the link I posted earlier:
                            http://technet.microsoft.com/en-us/l.../bb794722.aspx

                            I haven't tested it (cool testcase btw I should make a document about it) but I'm quite sure ISA can handle it.

                            In short what is happening is this:

                            In your browser you type: www.sitename.com
                            the packets (after dns and blablabla) arrive at the ISA server.
                            Isa sees an publishing rule which required authentication within it's listener.
                            ISA prompts for authentication and you need to enter a username/password from the domain or rsa key or whatever.
                            ISA stores this and when you go to: blah.sitename.com (for example) which is using the same listener, ISA recogonizes you and seamless authenticates you.

                            I'm not sure if apache can do ldap queries. It might be a requirement but I don't think this would give a lot of trouble.

                            Is apache running on linux or windows?
                            Marcel
                            Technical Consultant
                            Netherlands
                            http://www.phetios.com
                            http://blog.nessus.nl

                            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                            "No matter how secure, there is always the human factor."

                            "Enjoy life today, tomorrow may never come."
                            "If you're going through hell, keep going. ~Winston Churchill"

                            Comment


                            • #15
                              Re: Single Sign On solution on Windows Server

                              Thanks Dumber,

                              The Apache server runs on Linux and could recognize LDAP. I did some search as well but can not find how to integrate Apache server into ISA SSO function. Do you have any ideas or any links to recommend?

                              Originally posted by Dumber View Post
                              SSO is handled by the listener on the ISA server...
                              It's written here in the link I posted earlier:
                              http://technet.microsoft.com/en-us/l.../bb794722.aspx

                              I haven't tested it (cool testcase btw I should make a document about it) but I'm quite sure ISA can handle it.

                              In short what is happening is this:

                              In your browser you type: www.sitename.com
                              the packets (after dns and blablabla) arrive at the ISA server.
                              Isa sees an publishing rule which required authentication within it's listener.
                              ISA prompts for authentication and you need to enter a username/password from the domain or rsa key or whatever.
                              ISA stores this and when you go to: blah.sitename.com (for example) which is using the same listener, ISA recogonizes you and seamless authenticates you.

                              I'm not sure if apache can do ldap queries. It might be a requirement but I don't think this would give a lot of trouble.

                              Is apache running on linux or windows?
                              regards,
                              George

                              Comment

                              Working...
                              X