[thelist] AD, IIS and "single sign on" on an intranet

Ken Schaefer Ken at adOpenStatic.com
Tue Mar 28 16:34:27 CST 2006


It's not that IIS "knows" who the user is. IIS is still constrained by the
way that HTTP works. The reason it seems to work seamlessly is that IE can be
configured to attempt an auto-logon (without bothering the user) in certain
limited circumstances:
a) webserver says that it supports NTLM or Kerberos authN
b) the site is in IE's Intranet security zone (by default NetBIOS-style names
are there, but you can add FQDNs or IP addresses manually or via Group
c) IE's default security configuration for the Intranet zone hasn't been

You can get info here on all the requirements:

Hope that helps.


: -----Original Message-----
: From: thelist-bounces at lists.evolt.org [mailto:thelist-
: bounces at lists.evolt.org] On Behalf Of Marcus Andersson
: Sent: Wednesday, 29 March 2006 6:26 AM
: To: thelist at lists.evolt.org
: Subject: [thelist] AD, IIS and "single sign on" on an intranet
: We have a customer with a Windows setup (Active Directory, IIS, Windows
: work stations etc). What we want to do now is to use another web server
: (we sold a non MS application to them) and somehow accomplish the same
: functionality that IIS seems to provide with regards to that when the
: users are logged on to their work stations they don't need to log into
: the intranet web application (IIS just seems to know somehow who it is).
: How can we accomplish this ourselves? I know that I probably can speak
: LDAP to AD to get user information but how do IIS know who the user is
: without logging the user in to the web application? Is the browser
: sending user information? Is it (IIS) using IP addresses somehow to see
: who it is? I'm clueless (and haven't found a good enough google search
: phrase :( )...
: Ideas? (I think this one falls into Ken Schaefers area of expertise ;)
: Regards,
: /Marcus

More information about the thelist mailing list