- the scope is for internal systems only,
- all workstations are part of an Active Directory domain,
- Windows authentication (aka NTLM/Kerberos) is the standard authentication protocol for non-web related access (shared folders, printers, Microsoft Exchange, etc) in our environment,
- Internet Explorer is the standard browser application used in our environment.
Besides cost savings, the other major benefit to this approach is that users only have to sign on to their workstations once (i.e. the normal Windows login process) and enjoy seamless access to any (internal) web applications just like how you access Microsoft Outlook or shared folders today.
Getting this up and running in ASP/IIS based web applications is a piece of cake. See recipe. (No pun intended.) The key steps are:
- Disable Anonymous Access and enable "Integrated Windows authentication" in IIS for the ASP/ASPX application in question.
- Do the same in the web config file if this is an ASP.NET application.
- In your code, grab the id of the user using the code Request.ServerVariables["LOGON_USER"].
- via a servlet filter like JCIFS NTLM HTTP Authentication module, or
- via Andy Armstrong's JAAS login module
One gotcha to take note of. The above works when your application, hosted in the internal network is accessed from the web browser:
- via an internal IP.
- via the hostname of the IIS server.
- via a fully qualified domain name (FQDN) that is a sub-domain under your Windows domain. i.e. your Windows domain is acme.com and your application domain name is abc.acme.com.
In summary, its due to Internet Explorer mistakenly identified your site as an Internet site and the default browser settings prevents it from sending your Windows credentials for security reasons. To overcome this, you have to add the FQDN to the "Trusted sites" or "Local Intranet" lists.
To make life easier for your users, and since they are all on the domain, you can get your system administrators to push this configuration change to their PCs transparently via group policies or logon scripts.