I have a situation where I have to autheticate SharePoint user to another website that is not part of the sharepoint domain without asking user to login again.
I have sharepoint part of domain1. I have users in domain1 that log into sharepoint using NTLM by authenticating to domain1. I don't have any control over this domain and sharepoint configuration. I am working on a ASP.net application which needs to authenticate users from domain1 without prompting users for login if they have already logged into sharepoint server.
Is it possible to do? If yes please let me know how I can do this. I may be able to install a webpart on the Sharepoint if this allows me to do single sign on between sharepoint and my application.
If your web side (asp pages) are in domain 2, you can do it as follows:
Configure domain 2 to trust domain 1.
Create a group with all users in domain 1 that you want to give access to your asp pages
Configure your site to use windows authentication
Grant the user group access to your site
In this case it will not actually matter if they have logged into SharePoint first or not.
Related
I am kind of new to this, and I'm still trying to figure out how the whole thing works.
I have a sharepoint site, and I also have separate ASP webpages, they are under the same domain, but different servers. They both authenticate to AD.
I thought that by having my webpages under the same domain as the sharepoint, once I had an user authenticate to sharepoint (windows authentication), my webpages would be able to find who that was, as long as they had windows authentication also. But I guess it doesn't work like that.
So, my main goal is: from an ASP.NET page, I want to be able to get the authentication info from SharePoint.
What should I do?
Thanks!
The users are authenticated by thier login credentials with AD. In a C# ASP.Net page you can get thier username from System.Web.HttpContext.Current.User.Identity.Name
You can use this information to make a web service call to the SharePoint User Profile Service in order to get details SharePoint records on that user. This assumes that the user profile services is installed and running (not a given).
As for authentication information, you will need to be more specific about which information.
Remember that the rights given to a given AD user differ completely between what is permissioned for SharePoint and anything you have for the ASP.Net website.
If you are wanting to get information on what permissions a given user has, you can use the SharePoint Permissions web service to get information on what permission there are.
Unfortunately, accessing that webservice requires elevated rights on the SharePoint server.
If you are just wanting to align the two sites so they have consistent permissions, your easiest bet is to create the relevant groups in AD and permission those groups independantly in each application.
I have a application on iis7 using anonymous authentication. I want to retrieve the LOGON_USER from the server variables. It is currently empty. Microsoft suggests how to populate the values of serer variables in this post.
But that is for iis5 & 6. How to do it in IIS7?
Actual problem I am trying to solve is: the application is for intranet and internet users and is a sitecore application running on iis7. If I use windows authentication, I get the domain and username and I can bypass login for intranet users, but for external users, i need to have anonymous authentication also. Having both together will not populate values in the server variables. Have been going through many posts. Also this which says to use Forms and windows authentication.
Not able to solve it properly.
Any help is appreciated.Thanks!!!
In order to track a user profile, the user will need an ASP.Net profile created.
There is programming involved to associate a Sitecore DMS/OMS visitor profile with an actual Asp.net profile. If you want to continue to track Sitecore user profile, you would have to use the Tracker.Visitor.ExternalUser and not iis to determine the current visitor on the internet site.
I have a site where the vast majority of the content will be secured using Forms Authentication. However there is one sub folder that will be used internally by the administrative staff. I would like to secure this folder using Windows Authentication. Is that possible? Would I have to make the admin folder a virtual directory?
CLARIFICATION: There is no need for the administrative staff to access the main site. They are really two separate sites/apps. Regular users will access the main application via Forms Authentication (and never access the admin folder). And admin users will access the admin application via Windows Authentication (and never access the main site).
Thanks,
Corey
Yes, it's possible but you have to build a custom membership provider or an interface to allow for it. It is not possible to specify individual authentication methods on sub-folders unless they are in completely separate projects/application domains.
One method to accomplish this would be to use an LDAP membership provider and change the ldap connection based on the username (if there is a discernible method of doing this).
One other method would be to provide a separate website that uses the Windows authentication to perform the login and then constructs a custom cookie for the user and transfers them back to the original website identifying the individual as a member of the administrative staff.
Then the folder could be secured using the <location> elements in the web.config.
If I was going to build a site with Mixed authentication, I would setup the site to use webforms. I would then setup a virtual application inside of this application that consisted of the same forms auth web.config information but set to use Windows Auth.
On the login page of the windows auth site after you validate their credentials I would then manually call FormsAuthentication to create the auth token. At this point you can then redirect the user to the Forms Auth site and they should be logged in (as long as all the forms auth cookie information is the same for both sites, this might also include needing to setup the same machine keys for both applications).
I haven't done this specifically but this should definitely be a viable (and probably one of the most optimal) solutions.
It may be as simple as right-clicking on the admin folder in Windows Explorer and setting the rights in the Security tab.
Put the administration site in its own application - by right clicking on the folder in IIS manager and and choose convert to application.
Once that's done you can adjust the authentication method on the application by highlighting the application folder in IIS manager and then choosing authentication and adjusting them (or you can do it the hard way via web.config if you can't remote into the machine).
I built an INTRANET ASP.NET website for which authentication is set to "integrated windows authentication" and in authorization section of web.config, I have specified the AD groups (domain\groupname) to restrict the access to only to the members of those AD groups. multiple AD groups are specified in web.config (domain1\group1, domain2\group2 etc). now this works fine for users of one domain1 (where it is hosted), but for users of another domain (domain2), they get a prompt to enter their windows credentials and if they enter it, then it works and they can access the site without any problem. but I would like to avoid this login prompt, because I granted access to groups of both domains. why are they getting this prompt and is it possible to suppress it? do I need to configure something in IIS or web.config for it? Thanks in advance.
I believe users in Domain2 can add your website, hosted in Domain1, to their list of Intranet Sites in Internet Explorer->Internet Options->Security->Local Intranet Zone. This zone should automatically log on with the current user name and password. You could make this an AD policy.
I'm not sure that you can do this - I believe that users from outside the hosted domain will always be prompted for credentials with 'integrated' security.
You could probably use forms authentication to handle multiple domains. I am heading down the Windows Indentity Foundation path myself (which I have no desire to learn) so I'd love for someone to tell me I'm wrong about this!
I need to integrate my sharepoint site and ASP.net site. So, First login will occur in the SharePoint site with Active Directory authentication and from there i need to traverse to ASP.Net site through a link. Now my question is whether its possible to pass my SharePoint Active Directory credentials to ASP.Net site? Will i be able to do this through a query string? Will i be able to navigate to and fro between SharePoint and ASP.Net sites.
The main point here is the user should not enter his credentials twice ( ie.. He should be authenticated automatically while navigating between two sites.)
What are the options available for me?
Do these things possible to achieve? SharePoint will be hosted using Windows SharePoint Services 3.0.
Thanks in advance,
ReplyQuote
Is the ASP.NET site on the same network? If so, then you can use AD (Windows Auth) for authentication on the ASP.NET site just like you're using it on the SharePoint site. You don't need to pass the credentials, and you can't anyway since all you have is an authenticated identity. If you configure the ASP.NET site to require Windows Authentication, you'll be able to get the user's identity from the server variables (AUTH_USER).
See How to: Use Windows Authentication in ASP.NET 2.0