Single Sign on

If you have questions about using mojoPortal, you can post them here.

You may want to first review our site administration documentation to see if your question is answered there.

This thread is closed to new posts. You must sign in to post in the forums.
12/3/2010 9:09:01 AM
superdave144
Gravatar
Total Posts 154
View Posts

Single Sign on

I created a Mojo Intranet site that has AD integration.  Is there anyway I can configure single sign on so Mojo will use their domain credentials instead of having to manually enter them?

Thanks,

Dave

12/3/2010 9:28:59 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Single Sign on

If your users all use IE, you could potentially use Windows Authentication.  Other browsers generally won't support this though I think there is a Firefox extension to support it but it would  have to be installed on the client machines that use FF.

With Windows Authentication IE should automatically pass in the user's domain credentials as long as the user is signed into the domain and the web server is also a domain member.

Hope it helps,

Joe

12/3/2010 9:53:33 AM
superdave144
Gravatar
Total Posts 154
View Posts

Re: Single Sign on

I went into the default website, under the directory security tab, under authentication and access control, and both enable anonymous access and integrated windows authentication are checked.  I applied this setting to the Mojo virtual directory.  Am I missing something?  The user can view the page without entering credentials but they still need to sign in to Mojo itself. 

 

 

12/3/2010 10:32:13 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Single Sign on

Read the doc I linked to thoroughly, that is all the information I know about using Windows Auth. Make sure you update your web.config as indicated.

12/3/2010 10:40:24 AM
superdave144
Gravatar
Total Posts 154
View Posts

Re: Single Sign on

Doh!  I didn't even realize it was a link to a doc.

12/3/2010 11:16:07 AM
superdave144
Gravatar
Total Posts 154
View Posts

Re: Single Sign on

Ok it seems to be working.  It is using domain\username for the username and it isn't filling in their E-Mail address automatically.  Is this normal? 

12/3/2010 11:47:14 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Single Sign on

yeah it doesn't have a way to know the user's email address, we could possibly make an assumption there that the email is user@domain.com but that would likely be a false assumption in many cases.

I'll look into making a config option that could enable you to confirm the assumption and make it do that.

Best,

Joe

12/3/2010 11:52:27 AM
superdave144
Gravatar
Total Posts 154
View Posts

Re: Single Sign on

Maybe you could configure an assumption based on a specified template.  In our environment our E-Mail convention is firstname.lastname@domain.com.  Another common one would be firstnamelastinital@domain.com That template would work for every user in our domain.

12/3/2010 11:58:37 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Single Sign on

There is no way I can make it perfect, if you use more than one scheme for your own users then no matter what I do it will guess wrong for some users.

Here is what I'm implementing for the next version:

private string GuessEmailAddress(string userName)
        {
            if (WebConfigSettings.GuessEmailForWindowsAuth)
            {
                if (userName.Contains("/"))
                {
                    string domain = userName.Substring(0, userName.IndexOf("/"));
                    string user = userName.Replace(domain, string.Empty).Replace("/", string.Empty);
                    return user + "@" + domain + WebConfigSettings.WindowsAuthDomainExtension;
                }
            }

            return string.Empty;
        }

Where WindowsAuthDomainExtension will default to .com

Best thing to do would be to tell users they need to update their email address under My Account the first time they use the site.

Best,

Joe

 

12/3/2010 1:32:43 PM
superdave144
Gravatar
Total Posts 154
View Posts

Re: Single Sign on

That sounds great Joe!  It's behaving kinda strange.  The SSO works perfectly when I go to http://servername but when I browse to http://servername.domain.com it always asks for the logon.  Any ideas? 

12/3/2010 10:07:09 PM
Joe Davis
Gravatar
Total Posts 2239
View Posts

Re: Single Sign on

Hey Joe,

Just reviewing this thread and I noticed you may be using the wrong slash in your code. You're using a forward slash (/) for the domain separator but a back slash (\) should be used.

Thanks,
Joe D.

12/4/2010 7:11:20 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Single Sign on

Thanks Joe! you are right..

Best,

Joe

12/4/2010 10:00:45 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Single Sign on

The SSO works perfectly when I go to http://servername but when I browse to http://servername.domain.com it always asks for the logon. Any ideas?

Windows Authentication only works on a local network not on the internet. If servername.domain.com maps to a public internet ip address it will not work.

12/6/2010 11:22:26 AM
superdave144
Gravatar
Total Posts 154
View Posts

Re: Single Sign on

I fixed it by adding the full DNS name to IE as a trusted Internet site in the IE security settings. 

12/6/2010 11:56:22 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Single Sign on

I would not recommend using Windows authentication for a site that has a public facing ip address on the internet, it should only be used on a local network/intranet. 

Users on your local network should connect over the local network not the public ip address. I'mnot positive but by exposing your site on the internet you "may" be giving hackers an opportunity for dictionary attacks to guess actual domain user credentials because IE will keep prompting until valid credentials are given.

http://msdn.microsoft.com/en-us/library/ee825205%28CS.10%29.aspx

 

12/6/2010 12:37:51 PM
superdave144
Gravatar
Total Posts 154
View Posts

Re: Single Sign on

It's all for local use.  The problem I'm having is our VPN users use the FQDN to access all of our servers. 

3/16/2011 9:29:54 AM
dest135
Gravatar
Total Posts 3
View Posts

Re: Single Sign on

For a site that was not initially using Windows Authentication, how do I give myself administrator rights again? Looking at the member list there are now 2 accounts for me, dest135 and domain\dest135. I temporarily turned off windows authentication and went back to the old web.config, but I wasn't an administrator anymore?

3/16/2011 9:42:49 AM
dest135
Gravatar
Total Posts 3
View Posts

Re: Single Sign on

I turned it off again and refreshed a few times and I was given my administrator priviledges back, then added my new account to the administrators group and deleted the old account after I turned Windows Auth back on. Works like a charm now, absolutely wonderful!

You must sign in to post in the forums. This thread is closed to new posts.