IIS Web servers / SSL / Single Sign-On

Hi,

we have three servers (one with an dedicated Active Directory, one with
Windows Sharepoint Services + SQL 2005 and the last with Reporting
Services). The Windows Sharepoint Services is published on the Internet with
the URL https://portal.customer.org (the certifiate used comes from a root
authority installed on the dedicated domain controller). The homepage on the
Windows Sharepoint Services is composed of several webpart and especially
the reporting services webpart. As this webpart is displayed through an
IFRAME, we had to publish the reporting services web server on the internet
too (so we have https://bi.customer.org). The result is not very good as
when a customer is accessing the Windows Sharepoint Services, he has to
authentificate two times (one time for the https://portal.customer.org and
another time for getting access to https://bi.customer.org). We added both
sites on the trusted sites zone but he has no effect. Of course, we didn't
had this problem when reporting services was installed with Windows
Sharepoint Services on the same server (as /Reports and /ReportServer was
accessed by https://portal.customer.org). However, we had to split the
services on two separate servers because we had some performances during the
cubes processing.

Is there a solution to bypass the second authentication request ? As we are
authenticated on the first server (https://portal.customer.org, why the
information is not returned to the second server (https://bi.customer.org)
as both servers are using the same Active Directory ? Is this because we are
using SSL (this could be a security feature to block the "automatic login
with current username and password" option in Internet Explorer when
browsing SSL web sites).

Very thanks for your answers.

Thierry

Re: IIS Web servers / SSL / Single Sign-On

What you want is possible, but not how you are doing it.

It has no relation to SSL because "automatic login with current
username and password" is actually not what you want. You want "if I
autologin to https://portal.customer.org, it means to also autologin
to https://bi.customer.org, and vice versa".

No browser has that behavior with standard authentication protocols
and no standard authentication protocols support SSO. Some
authentication protocols support [constrained] delegation, which
allows user credential from one server to be used on another server.

Custom authentication protocol can support SSO, but it has to be
correctly implemented because misused, it is a huge security risk.

Or, you can publish the reporting services as a URL under the same
https://portal.customer.org as the Sharepoint websites -- maybe ISA
server can do that.

I know all this looks complicated, but it is because security checks
must happen when data traverse security boundaries, and you have
presented lots of distinct security boundaries to browser software
even though you want to logically treat them as a single security
boundary (think about how airport security gets implemented).

All it means is that you have to configure server software to present
itself as a single security boundary, or make the client/server
software ignore multiple security boundaries. But the wrong approach
is to "bypass the second authentication request" because that leaves
distinct security boundaries AND tells the client/server to disregard
security boundaries. You might as well turn off security at that point
because why bother turning on security if you just want to bypass it.
Figure out how to merge multiple security boundaries across multiple
machines into a single security boundary.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Jun 28, 4:06 am, "Thierry F." wrote:
> Hi,
>
> we have three servers (one with an dedicated Active Directory, one with
> Windows Sharepoint Services + SQL 2005 and the last with Reporting
> Services). The Windows Sharepoint Services is published on the Internet with
> the URLhttps://portal.customer.org(the certifiate used comes from a root
> authority installed on the dedicated domain controller). The homepage on the
> Windows Sharepoint Services is composed of several webpart and especially
> the reporting services webpart. As this webpart is displayed through an
> IFRAME, we had to publish the reporting services web server on the internet
> too (so we havehttps://bi.customer.org). The result is not very good as
> when a customer is accessing the Windows Sharepoint Services, he has to
> authentificate two times (one time for thehttps://portal.customer.organd
> another time for getting access tohttps://bi.customer.org). We added both
> sites on the trusted sites zone but he has no effect. Of course, we didn't
> had this problem when reporting services was installed with Windows
> Sharepoint Services on the same server (as /Reports and /ReportServer was
> accessed byhttps://portal.customer.org). However, we had to split the
> services on two separate servers because we had some performances during the
> cubes processing.
>
> Is there a solution to bypass the second authentication request ? As we are
> authenticated on the first server (https://portal.customer.org, why the
> information is not returned to the second server (https://bi.customer.org)
> as both servers are using the same Active Directory ? Is this because we are
> using SSL (this could be a security feature to block the "automatic login
> with current username and password" option in Internet Explorer when
> browsing SSL web sites).
>
> Very thanks for your answers.
>
> Thierry