This article supplements the product documentation to provide better understanding of the settings in configuring SSO with Active Directory.
To better understand what Ektron is requesting for settings, it is important to understand the ASP.NET Architecture of how client requests are being made. Refer to the image below, taken from this Microsoft article.
The important thing is that Web clients communicate with ASP.NET through Microsoft Internet Information Services (IIS). The authentication settings in IIS and the site's web.config determine how authentication is conducted. The steps below should help you properly configure SSO.
The Ektron Product Documentation for configuring AD SSO can be found here.
The next segment breaks down the steps in the documentation and provides additional information.
The documentation presents the following steps:
- Modify Web.config for single sign on.
- Adjust security on the site root folder.
- Adjust security for autologin.aspx
- Update the Login Server Control
- Additional Step - Not Ektron documentation: Browser Settings.
Modifying Web.config for single sign on:
Step 2 refers to the following key.
The value is case sensitive. If improperly set, the key does not work.
Step 4 refers to the following keys.
<authentication mode="Windows" /> <identity impersonate="false" userName="" password=""/>
Setting the authentication mode to Windows tells the web application to use the Windows Authentication Provider.
Windows Authentication treats the user identity supplied by Microsoft Internet Information Services (IIS) as the authenticated user in an ASP.NET application. Impersonation is set to False, because Ektron does not want to use the Windows identity supplied by IIS for permission checking, such as NTFS file permissions, or for connecting to a database using integrated security.
Disable Basic Digest Authentication in some web.configs. Please click here for more information.
Adjust security on the site root folder:
Step 4: On the Authentication screen, enable Anonymous Authentication.
Anonymous authentication gives users access to public areas of your Web site without prompting them for a user name or password. Although listed as an authentication scheme, it is not technically performing any client authentication because the client is not required to supply any credentials.
Adjust security for autologin.aspx:
This step in the documentation is interesting, as it is written for users who want to take advantage of the built-in login templates in the min starter site. What is important to take away from this are the settings. If the settings are applied to the custom login template, SSO works there as well.
For example, in order for the sample Clickless Autologin to the settings in this section would have to applied at the file/subfolder level.
The settings are as follows:
- Anonymous Authentication: Disabled
- Forms Authentication: Disabled
- Windows Authentication: Enabled
Assuming that all other setting previously mentioned are in place, the settings on the file match our web.config, which is to use Windows Authentication.
Update the Login Server Control:
Even if everything else is configured properly, the client side browser has its own security measures. The browser will challenge for credentials, which defeats the purpose of SSO.
For more information on NTLM please click here.
Testing SSO cannot be done on the server where SSO is configured. It must be conducted from outside the server for actual results.