I have a program in a server and the user access to it by the ip address https://123.45.54.63
Then the server ask for credentials and users can mark on remember my credentials to autofill de user and password fields the next time.
But i do not know how to make the automatize the login so the user does not have to click on login and just use the application by accessing to the server ip.
I mark in Tools -> Internet options -> security -> local intranet -> customize -> and mark the login automatically option for intranet but it still ask for the credentials autofilled.
It is possible to make internet explorer 11 to log automatically?
Whether the user's computer and the server is in the same Intranet Zone?
If they are in the same zone, you could try to select the "Automatic logon with current user name and password" option (Internet options -> security -> local intranet -> customize ).
If still not working, you could try to add the IP address to the "Local Intranet Sites" in security in IE.
If the user's computer and the server are not in the same zone, you should enable the "Automatic logon with current user name and password" in the Internet Zone.
Edit:
Please check this article,
When using the Windows Integrated authentication, the Internet Explorer might automatically authenticate a user's logon and password and maintain security. You could check the conditions for Internet Explorer to automatically authenticate a user's logon and password and maintain security:
Windows Integrated authentication, also known as Windows NT
Challenge/Response, must be enabled in the Web site properties in
IIS. Anonymous authentication is attempted first, followed by Windows
Integrated authentication, Digest authentication (if applicable), and
finally Basic (clear text) authentication.
Both the client and the Web server must be either in the same Microsoft Windows NT-based or Microsoft Windows 2000-based domain or in trusted Windows NT-based or
Windows 2000-based domains in which the user's account can be granted
permissions to resources on the IIS-based computer.
The user's browser must be Internet Explorer. Internet Explorer is the only
browser that supports Windows Integrated authentication (NTCR).
Internet Explorer must consider the requested URL to be on the
intranet (local). If the computer name portion of the requested URL
contains periods (such as http://www.microsoft.com and
http://10.0.0.1), Internet Explorer assumes that the requested
address exists on the Internet and does not pass any credentials
automatically. Addresses without periods (such as http://webserver)
are considered to be on the intranet (local); Internet Explorer
passes credentials automatically. The only exception is addresses
included in the Intranet zone in Internet Explorer. Internet
Explorer's Intranet zone security setting must be set to Automatic
logon only in Intranet zone. This is the default setting for Internet
Explorer. For additional information about Internet Explorer security
zones, click the article number below to view the article in the
Microsoft Knowledge Base:
The user requesting the Web page must have appropriate file system (NTFS)
permissions to the Web page as well as all of the objects referenced
in the Web page. For example, a user may have Full Control rights to
a Web page, but is prompted for a password if the Web page refers to
graphics that are in a secure folder.
When using the Basic (clear text) authentication or Digest authentication. Internet Explorer does not pass your user name and password automatically when you are using Basic (clear text) authentication or Digest authentication. Therefore, you are always prompted for credentials when you are using these authentication methods.
Related
I have an Asp.net website for domain A users with Integrated Windows Authentication.
Now users from domain B need to access the website.
But Domain B users receive a pop-up window to input the authenticated information when they access the website
My question is:
How to configure the IIS or Windows Server to allow Domain B users to access the website without the pop-up windows for authentication, just like the users from Domain A.
There are two requirements:
Domain A needs to trust Domain B, and
On the users' computers, the website needs to be added to the Trusted Sites in the Windows Internet Options. This tells Chrome and Edge that they can automatically send the credentials of the logged in user. Firefox can do it too, but has its own setting for it.
I need to use the .Net token (or FedAuth cookie) to get in Domino credential from Active directory
The same need is describe in:
Lotus Notes and c# SSO.
Internet users are loged in a Share Point application and have to open a form in Domino.
My Domino Server is configured Assistant Directory, the users are managed in Active Directory and not in names.nsf. This works good. I can make a POST to log automatically a user of the AD.
But Share Point don't have the user password! Ideally it would be cool to POST the cookie... or run an agent that will inquire in back end the Active directory with the cookie to verify it. Is there a way to do this?
My Domino is 8.53 so I can't use SAML (if someone did this with Domino 9.0 I will be pleased to know :-).
There is a SSO using SPNEGO which can be setup on windows-based Domino servers.
More information about it can be found in the Domino Administration help (steps are very well documentd) and here:
Wiki: Deploying Windows single sign-on for Web clients (SPNEGO) in an existing Domino environment
Basically the steps to enable this are (details in notes admin help and the linked document):
Set an SPN on your windows server (to allow this server to pass Kerberos tickets to the AD)
Enable SSO on the Internet Site / Server doc
In the SSO Configuration: add all servers you will need SSO and enable windows-based SSO
Add a name mapping to your Person docs (Kerberos Principal Name Field) and set notes.ini entry WIDE_SEARCH_FOR_KERBEROS_NAMES=1 on your domino server to include this field in the namelookup
Configure browser: IE: trusted sites (add your host names), Firefox: add domino host to network.negotiate-auth.trusted-uris
Hope that helps - Michael
You could generate your own Domino Ltpa token (cookie) from sharepoint upon login. So long as the domains are set up ok, the browser should pass this to the Domino server and automatically log them in.
Feel free to contact me directly if you need specific help.
we have a sharepoint 2010 site and are using the same url to access it from inside and outside the network.
our issue is that we don't want users inside our network to get asked for credentials when accessing the site.
if, for example, the url we wanted to use was https://sp.domain.com, how would we set this up?
You can do this via Alternate Access mappings. Have two zones for your sharepoint site: Intranet and Extranet. In AAM settings:
Intranet : http://sp.domain.com
Extranet: http://extranet.domain.com
You did not specify which authentication scheme if you are using for outside network. If its forms authentication, you can set Windows for 1 and Forms authentication for 2.
However, if its AD only for both, you will have to have sp.domain.com configured as Intranet Url and extranet.domain.com as Internet Url in each of client computer. This can be done using group policy.
Your proxy server will have to do the work of transferring the sp.domain.com from external network to extranet.domain.com internally.
Good to read:
http://sharepoint.microsoft.com/blog/Pages/BlogPost.aspx?pID=804
If I was running a server that allowed certain user's on my LAN to access the WAN.
How can I reliably authenticate these users?
I could allow by checking MAC/IP adresses, but those details can be spoofed, right..
Ideally, I would like the user to:
1. connect to the LAN via DHCP
2. be re-directed to the server's login page when the user tries to browse
3. have to user enter username - password
4. if authenticated, user must be allowed to browse freely.
What you describe is proxy server,
e.g. Kerio control:
User-specific access management Each user in the network can be required to log in to Kerio Control before connecting to the Internet. That allows for restrictive security and access policies to be applied based on the specific user, rather than the IP address.
You could look for IEEE 802.1x authentication and RADIUS server solutions, e.g. freeRadius.
(There is also a Win32 binary based on Cygwin on freeradius.net.)
I am working on a site where users can login to get more private information.
My client has another site else where that uses nt authentication for accessing it.
What they want to do is have a button on the site I am working on under the private area that will send them to the nt authenticated site, but not require them to log on to that site instead passing the username and password that they used to log into my site to the other site for them.
Is it possible to do this? and how would I accomplish it? Is there a better way to do this?
Here's an (untested) theory, the details of which will greatly depend on what types of authentication the Sharepoint site will accept. I'll tackle Basic, since it's the easiest.
You'll write out some JavaScript that uses XMLHttpRequest to submit a request to the Sharepoint site, and add their username and password to the request headers. Their browser will run that JavaScript, and get logged into the Sharepoint site.
Now, when they click the link, the client's browser should have the cached credentials to send to the Sharepoint site.
Possible issues:
XMLHttpRequest does not allow cross domain auth
Browser and XHR don't share auth info
Sharepoint and XHR can't agree on auth method
Another option is to proxy the connection to Sharepoint, which allows you to login server side (bypassing XHR limitations and browser security) - but requiring load on your server and possibly some URL target issues.
How will the other site validate your username and password?
Ideally your site shouldn't even be remembering the user's password to be able to pass it to another site (you store hashes of the password, not the password itself, and only use the actually password during validation).
What if your site provided a token to the user, who presents that token to the new site, which in turn asks your site to validate the token. Basically the second site is trusting you to tell them who the user is.
This all breaks down if the second site is actually using the Windows accounts for anything other than just retrieving a user name (for example permissions on the underlying file), since the user is not logged on as the actual Windows user account in this scenario.
If you need to authenticate against the second site, you may need to spawn a new thread and call the windows LogonUser API. Once you have the security token, assign it to the new thread and do your connection via that thread.
LogonUser requires enhanced privileges, and isn't Managed code, so there are some pretty severe hiccups to using it. But that's been the only work around I've been able to find to get a Forms authenticated site talking to a Windows Authenticated Service/Site.
Hope this helps.
Is this an intranet environment? If so they shouldn't have to login anyways. If sharepoint is setup using "Integrated Authentication" and the site is listed as a trusted site in IE, the browser will use there network cred for auto login. This can be setup on firefox as well.
Your users will not be able to connect to the NTLM site directly without getting an NTLM challenge. I would write what would effectively be a proxy to the NTLM site; i.e your server-side code will have credentials to connect to the NTLM site, and it passes through the requests from your users.
As you mention it's SharePoint (spit) bear in mind that SharePoint has a bunch of Web Services you could use for this (rather than doing screen-scraping).