June 30th, 2010, 02:21 PM
How to setup up Single Sign On with a Windows 2008 RC2 and IIS7 server
So a couple of weeks ago I installed an intranet solution for a client.. For this, they also wanted to integrate their (local) Active Directory with auto login (Single Sign On). After several tries and fails with Apache's solutions, I desided to use IIS7 on a Windows 2008 RC2. The problem was, I've had no experience with neither a Windows Server nor a ISS server.. (or any other servers for that matter.. xampp is my friend ) After a couple of hours I was able to finally fetch the AD username from $_SERVER['REMOTE_USER']. Which is what I check for in my PHP autologin script. This was an easy setup because the intranet was only going to be accessed by computers inside their local network.
Since then, I've been working for another client with the same intranet solution. Only this time their AD is hosted by a company on the other side of the country. With very strict rules. The Intranet should also be available for members not logged into their domain (Internet). These members should be able to log in via a standard form with a username / email and password stored in a MySQL database.
I now have a "working" setup. But it's not what I was looking for. First the members must connect to the AD domain using the Citrix. Second they have to setup their IE browser (add https url to tools > Internet Options > Security > Trusted sites). By doing this they won't get a popup dialog asking for their domain\username and password. Members trying to access the site outside the domain is always met with a popup.
Tomorrow I have a meeting with the client, and I'm worried sick :\ This is not what I promised them. So I'm wondering (and hoping) anyone here can tell me if this is even possible. If so, how can I remove the popup box and allow a login via a standard HTML form (like mentioned above)? What am I doing wrong?
Check the IIS online help, there is a lot of information on IIS authentication. Basically you want to set IIS to use windows integrated authentication and use windows security groups to control access to webs/files.
The man who doesn't read good books has no advantage over the man who can't read them.