Integrated Windows Authentication & SSL
I have an administrative website on our intranet that currently uses Integrated Windows Authentication through IIS. We would like to move this application to a public website and secure it with SSL so our users can access it from anywhere.
I had been planning on using an HttpModule to redirect from http to https, but it doesn't look like this works with integrated authent开发者_运维知识库ication (the login popup appears before the redirect).
Am I stuck using the "require SSL" checkbox in IIS? This doesn't seem all that user friendly since the user gets a nice fat error page instead of a gentle redirect if they forget to use the https URL.
What would you do in this situation?
I've solved this as an IIS problem every time, not a code problem:
- create a new web site in IIS
- bind it to the same IP address (and/or host header), to your SSL cert and to port 443
- configure this to point to the same application root as the current port 80 site
- test to make sure that directly connecting to https://site gives the expected responses
- reconfigure the original site (still bound to port 80) to use the HTTP Redirect feature
- configure the port 80 site to redirect to the port 443 site; optionally, remove the application and virtual directory mappings (in case someone accidentally disables the redirect)
From then on, any user that just types the web site address into their browser will get a lightning-fast redirect message from IIS that sends them to the SSL-protected version of the site.
We had similar issues on our intranet site and ended up switching from Integrated Windows Authentication to requesting their network username/password directly on the site. That way we can redirect them to HTTPS or other such things without worrying about when the authentication popup shows up.
We have some code similar to this (assuming you're using ASP.NET) that authenticates the user, and then we store the authentication state in a cookie.
public static bool AuthenticateUser(string username, string password)
{
System.DirectoryServices.DirectoryEntry _entry = new System.DirectoryServices.DirectoryEntry(ldap_path, username, password, System.DirectoryServices.AuthenticationTypes.Delegation);
bool _authenticated = false;
try
{
Object _o = _entry.NativeObject;
_authenticated = true;
}
catch
{
_authenticated = false;
}
finally
{
// Avoids the "multiple connections to server not allowed" error.
_entry.Close();
_entry.Dispose();
}
return _authenticated;
}
It ended up saving us tons of headache and frustration by handling all authentication in the application rather than depending on IIS.
精彩评论