How do I Implement single sign-on?

We are in the process of moving our company from an IBM Domino web
world to Microsoft. The first part of this is endeavor is to revamp
our corporate intranet site and run it under IIS, but we would like to
implement the new site using single-sign-on. The problem I am a
software/web developer not a network engineer.

Here is what I have so far:

1) Virtual PC running Win 2003 server acting as my Active Directory/
Domain controller and DNS server.

2) Virtual PC running Win 2003 server acting as my web serving running
IIS

3) Virtual PC running Win XP acting as a client.


a) I have made the virtual machines 2 & 3, members of my test domain
b) Everyone can ping each other by name or IP
c) I have created a test user account on my domain controller
d) I can login into the virtual network using the XP client and the
new test user account
e) I have created a virtual directory on the web server to point to a
test application that is configured to utilize "windows
authentication", and I have set the virtual directory properties to
use integrated authentication.

My problem occurs when I try to access my test application from a
browser on the XP client. I get prompted for a login id, but when I
enter my test user's login credentials, IIS will not accept them.

Have I missed a step in my configuration, or the setup of my domain?
Is there something on the IIS server that needs to be setup to
authenticate incoming users against the domain?

I'm at a loss and need help.

Thanks.

Hi,

You need to define what 'iis does not accept the credentials' means.

Do you mean - IIS has rejected the credentials as invalid? Or do you mean
IIS has accepted the credentials, but the user is not authorized to request
the page.

The former can be checked in the Windows security event log on the IIS
server (you will need to manually enable Logon Failure auditing in the local
security policy on the IIS server: Start -> Run -> secpol.msc). One common
mistake when using Integrated Windows Authentcation is not using
Domain\Username (or user@domain) format (i.e. leaving off the domain part).

The latter usually involves tweaking NTFS permissions to permit the user
account the required rights (usually just Read)

Cheers
Ken


"bmcdougald@gmail.com" <bmcdougald@hotmail.com> wrote in message
news:06d16bc7-1554-461a-8c43-99b97dc002b6@a70g2000hsh.googlegroups.com...
> We are in the process of moving our company from an IBM Domino web
> world to Microsoft. The first part of this is endeavor is to revamp
> our corporate intranet site and run it under IIS, but we would like to
> implement the new site using single-sign-on. The problem I am a
> software/web developer not a network engineer.
>
> Here is what I have so far:
>
> 1) Virtual PC running Win 2003 server acting as my Active Directory/
> Domain controller and DNS server.
>
> 2) Virtual PC running Win 2003 server acting as my web serving running
> IIS
>
> 3) Virtual PC running Win XP acting as a client.
>
>
> a) I have made the virtual machines 2 & 3, members of my test domain
> b) Everyone can ping each other by name or IP
> c) I have created a test user account on my domain controller
> d) I can login into the virtual network using the XP client and the
> new test user account
> e) I have created a virtual directory on the web server to point to a
> test application that is configured to utilize "windows
> authentication", and I have set the virtual directory properties to
> use integrated authentication.
>
> My problem occurs when I try to access my test application from a
> browser on the XP client. I get prompted for a login id, but when I
> enter my test user's login credentials, IIS will not accept them.
>
> Have I missed a step in my configuration, or the setup of my domain?
> Is there something on the IIS server that needs to be setup to
> authenticate incoming users against the domain?
>
> I'm at a loss and need help.
>
> Thanks.

Thank you for your reply.

I found a major part of my problem. I had cloned the IIS server from
a "base" image of a Windows Server 2003 virtual machine, which my AD
controller is also based on. Thus the SID's of both servers were the
same and conflicting with each other.

I am now able to authenticate to IIS from the XP client via a
browser. However, I'm still being challenged with our sites login
page instead of IIS just allowing me on through to the site's content
as you would expect with single-sign-on.

From your reply above you mentioned that the username might have to be
in Domain\user or user@domain format. It appears that this format is
not being used given the info from the logs.

I went into the permission settings on the IIS application's virtual
directory properties and added the "Domain Users" group to the list of
groups or users on the security tab, but I had no luck. Next I tried
adding my test user explicitly using the name user@domain format, and
then retried to access from the client, but I still get challenged for
login credentials.


This is what I'm seeing in the security event log:

Successful Network Logon:
User Name: jfever
Domain: VIRTUALWIN
Logon ID: (0x0,0x3A765)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {25328746-96fc-ca9d-0dc3-784a28905ce3}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.105.25
Source Port: 1425

Never mind, it's working.