Re: SSO

Thanks Mike for your response.

For example, you mentioned WebAuth and CoSign. Both of these solutions
are really targeted for highly heterogeneous environments like
University networks where the only client requirement is that the
browser support cookies. So it works on the IntrAnet, the IntErnet, on
a hostile dormitory network, a kiosk at the airport, ...etc. But if
you don't have those requirements these solutions do have quite a bit
of overhead with all the redirecting and, more important, they do not
give you true single-sign-on behavior. They're more like "double sign
on" because you have to login to a central server and they get
redirected back to the target site.

For a strictly IntrAnet environment the WWW-Authenticate: Negotiate or
NTLMSSP protocols used by IIS, mod_auth_kerb, Plexcel, JCIFS and
others are the only true *Single* Sign On solutions where the clients
existing credentials are used to transparently authenticate without
requiring the user to enter a password. These use either the original
WWW-Authenticate: NTLM protocol (obsolete), raw NTLMSSP (rare), raw
Kerberos 5 (rarer) or SPNEGO (very common - used to "negotiate" either
NTLMSSP or Kerberos 5).

That's good to know. The only thing is that the environment that I have is
an intErnet one. I really don't have an intrAnet environment. Even though
the applications are used by just the employees, they are accessible outside
the organization's network (if I am making a rookie mistake about the
concept of intrAnet, then definitely point it out). I feel as if for this
situation, Cosign would be the best because it caters to IIS, while WebAuth
does not have any stable filters for IIS.

Let me know if my logic make sense or not.

Thanks again for all your guys' help.



On 7/17/08, Michael B Allen <ioplex@xxxxxxxxx> wrote:

On Thu, Jul 17, 2008 at 11:01 AM, Sharad Desai <ssdesai1@xxxxxxxxx> wrote:
Hello,

Thanks for your responses.

You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
have SPNEGO built in, and can use the Kerberos in Active Directory.
Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any
platform
see the about:config and the network.negotiate-auth.trusted-uris option.

I would have definitely considered this, but the group that I am working
with does not want to include AD in any solution.

Also, (I'm not sure how familiar people are with Cosign) since Cosign
transforms Kerberos authentication to a cookie-based authentication which
the browsers can use, I was wondering if you have had any experience with
this.

When trying to determine the right SSO solution for your web
applications, it is important to realize that the mode of operation
behind solutions that call themselves "SSO" varies tremendously so you
really need to carefully state your requirements.

For example, you mentioned WebAuth and CoSign. Both of these solutions
are really targeted for highly heterogeneous environments like
University networks where the only client requirement is that the
browser support cookies. So it works on the IntrAnet, the IntErnet, on
a hostile dormitory network, a kiosk at the airport, ...etc. But if
you don't have those requirements these solutions do have quite a bit
of overhead with all the redirecting and, more important, they do not
give you true single-sign-on behavior. They're more like "double sign
on" because you have to login to a central server and they get
redirected back to the target site.

Then you have "SSO" solutions like OpenID which are really more like
"triple sign on" since you have to login to your workstation, then to
the OpenID service and then put in the OpenID service you're using at
the target site. This scenario is really only for the IntErnet where
there is no chance of the client and service being members of the same
domain.

For a strictly IntrAnet environment the WWW-Authenticate: Negotiate or
NTLMSSP protocols used by IIS, mod_auth_kerb, Plexcel, JCIFS and
others are the only true *Single* Sign On solutions where the clients
existing credentials are used to transparently authenticate without
requiring the user to enter a password. These use either the original
WWW-Authenticate: NTLM protocol (obsolete), raw NTLMSSP (rare), raw
Kerberos 5 (rarer) or SPNEGO (very common - used to "negotiate" either
NTLMSSP or Kerberos 5).

Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

.

Relevant Pages

  • VPN separte subnet
    ... I have a client who is wanting to allow a remote business partner to VPN ... into their network in order to securely access an intranet site (located on ... little on the LAN - if nothing more than just the intranet site. ... Add an IP address to the intranet member server. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Problem related with Subnetting
    ... > say if that company has broke down its intranet in to 3 different LANs ... Don't use any old subnet addresses in your private network - they may ... So if there is one client involved in each of subnet, ...
    (comp.unix.programmer)
  • Re: Problem related with Subnetting
    ... > say if that company has broke down its intranet in to 3 different LANs ... Don't use any old subnet addresses in your private network - they may ... So if there is one client involved in each of subnet, ...
    (comp.os.linux.networking)
  • RE: Lost my outlook contact... :(
    ... the network configuration is started from a web page located ... client computer, you will see a welcome page to invite you to start the ... local user profiles to the domain user profile. ... Before joining client computers to the network, ...
    (microsoft.public.windows.server.sbs)
  • Re: SMS 2.0 and SMS 2003 Running at same time in same domain.
    ... the clients are on the network. ... The operating system reported error 53: ... Possible cause: The client is offline. ... Verify that the client is connected to the network and that the SMS ...
    (microsoft.public.sms.setup)