Integrated Windows Authentication and SSL
I have an administrative site on our intranet that is currently using Integrated Windows Authentication over IIS. We would like to bring this application to a public website and secure it with SSL so that our users can access it from anywhere.
I was planning on using the HttpModule to redirect from http to https, but it doesn't seem to work with integrated authentication (login popup appears before redirecting).
Have I checked the "Require SSL" checkbox in IIS? This doesn't seem to be user-friendly as the user gets a nice fat error page instead of a gentle redirect if they forget to use the https url.
What would you do in this situation?
source to share
We had similar issues on our intranet site and as a result, we switched from Integrated Windows Authentication to asking for their network name / password directly on the site. This way we can redirect them to HTTPS or other similar things without worrying about when the authentication popup appears.
We have code like this (assuming you're using ASP.NET) that authenticates the user, and then we save the authentication state in a cookie.
public static bool AuthenticateUser(string username, string password)
{
System.DirectoryServices.DirectoryEntry _entry = new System.DirectoryServices.DirectoryEntry(ldap_path, username, password, System.DirectoryServices.AuthenticationTypes.Delegation);
bool _authenticated = false;
try
{
Object _o = _entry.NativeObject;
_authenticated = true;
}
catch
{
_authenticated = false;
}
finally
{
// Avoids the "multiple connections to server not allowed" error.
_entry.Close();
_entry.Dispose();
}
return _authenticated;
}
In the end, it saved us a bunch of headaches and frustrations by addressing all of the authentication in the application, not depending on IIS.
source to share
I solved this as an IIS issue every time, not a code issue:
- create a new website in IIS
- bind it to the same IP address (and / or host header), to your SSL certificate and to port 443
- configure this to point to the same application root as the site's current port 80
- to make sure connecting directly to https: // site gives expected responses
- reconfigure the original site (still bound to port 80) to use the HTTP redirect feature.
- configure the port 80 site to redirect to the port 443 site; it is not necessary to remove the app and virtual directory mappings (in case someone accidentally disables redirection)
From now on, any user who simply types the website address in their browser will receive an instant forward redirect message from IIS that sends them to the SSL secured version of the site.
source to share