Subject: Client Settings to Trigger SSO
Author: authen
In response to: Client Settings to Trigger NTLM or Negotiate
Posted on: 06/02/2010 01:44:24 PM
The above configuration is sufficient to perform NTLM authentication but, by itself, it is probably not sufficient to perform SSO. SSO is when the client's browser automatically authenticates the user without asking for credentials again. There are several conditions required for SSO to occur:
1. The user must be logged into the workstation using their domain credentials.2. The browser must support NTLM HTTP authentication.3. The URL used to visit the site must be a fully qualified DNS hostname. A NetBIOS name, the special "localhost" name or an IP address3 may not work as expected.
>
> On 06/02/2010 01:36:36 PM
authen wrote:
If your client applications (most likely the Internet browser for HTTP) are not set properly, the NTLM or Negotiate authentication mechanism may not be triggered and fired. Here are two major factors:
1) Method: Specify which authentication mechanism you are expecting
To configure Internet Explorer to initiate NTLM or Negotiate authentication mechanism with your website, go to Tools > Internet Options > Security > Local intranet > Custom Level > User Authentication. Select Automatic logon only in Intranet zone.
2) Target: Specify which sites are going to be considered as the zone which will use the mechanism you just defined
For the browser to initiate authentication mechanism other than basic, the website must be in the "Local Intranet". Internet Explorer may detect this automatically but it may be necessary to explicitly add your site to the list of trusted Intranet sites.
To configure Internet Explorer to initiate NTLM or Negotiate authentication mechanism with your website, go to Tools > Internet Options > Security > Local intranet > Sites > Advanced. Add the target site (or a wildcard expression that matches the target site) to this list. Some examples of values for this list are:
http://www.example.com -- Trust one specific site for SSO
www.example.com -- Trust the specific site using either HTTP or HTTPS.
*.example.com -- Trust all sites under the example.com domain.
References: