Thanks Mike for your response.

>For example, you mentioned WebAuth and CoSign. Both of these solutions
>are really targeted for highly heterogeneous environments like
>University networks where the only client requirement is that the
>browser support cookies. So it works on the IntrAnet, the IntErnet, on
>a hostile dormitory network, a kiosk at the airport, ...etc. But if
>you don't have those requirements these solutions do have quite a bit
>of overhead with all the redirecting and, more important, they do not
>give you true single-sign-on behavior. They're more like "double sign
>on" because you have to login to a central server and they get
>redirected back to the target site.


>For a strictly IntrAnet environment the WWW-Authenticate: Negotiate or
>NTLMSSP protocols used by IIS, mod_auth_kerb, Plexcel, JCIFS and
>others are the only true *Single* Sign On solutions where the clients
>existing credentials are used to transparently authenticate without
>requiring the user to enter a password. These use either the original
>WWW-Authenticate: NTLM protocol (obsolete), raw NTLMSSP (rare), raw
>Kerberos 5 (rarer) or SPNEGO (very common - used to "negotiate" either
>NTLMSSP or Kerberos 5).


That's good to know. The only thing is that the environment that I have is
an intErnet one. I really don't have an intrAnet environment. Even though
the applications are used by just the employees, they are accessible outside
the organization's network (if I am making a rookie mistake about the
concept of intrAnet, then definitely point it out). I feel as if for this
situation, Cosign would be the best because it caters to IIS, while WebAuth
does not have any stable filters for IIS.

Let me know if my logic make sense or not.

Thanks again for all your guys' help.



On 7/17/08, Michael B Allen wrote:
>
> On Thu, Jul 17, 2008 at 11:01 AM, Sharad Desai wrote:
> > Hello,
> >
> > Thanks for your responses.
> >
> >> You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
> >> have SPNEGO built in, and can use the Kerberos in Active Directory.
> >> Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any

> > platform
> >> see the about:config and the network.negotiate-auth.trusted-uris option.

> >
> > I would have definitely considered this, but the group that I am working
> > with does not want to include AD in any solution.
> >
> > Also, (I'm not sure how familiar people are with Cosign) since Cosign
> > transforms Kerberos authentication to a cookie-based authentication which
> > the browsers can use, I was wondering if you have had any experience with
> > this.

>
> When trying to determine the right SSO solution for your web
> applications, it is important to realize that the mode of operation
> behind solutions that call themselves "SSO" varies tremendously so you
> really need to carefully state your requirements.
>
> For example, you mentioned WebAuth and CoSign. Both of these solutions
> are really targeted for highly heterogeneous environments like
> University networks where the only client requirement is that the
> browser support cookies. So it works on the IntrAnet, the IntErnet, on
> a hostile dormitory network, a kiosk at the airport, ...etc. But if
> you don't have those requirements these solutions do have quite a bit
> of overhead with all the redirecting and, more important, they do not
> give you true single-sign-on behavior. They're more like "double sign
> on" because you have to login to a central server and they get
> redirected back to the target site.
>
> Then you have "SSO" solutions like OpenID which are really more like
> "triple sign on" since you have to login to your workstation, then to
> the OpenID service and then put in the OpenID service you're using at
> the target site. This scenario is really only for the IntErnet where
> there is no chance of the client and service being members of the same
> domain.
>
> For a strictly IntrAnet environment the WWW-Authenticate: Negotiate or
> NTLMSSP protocols used by IIS, mod_auth_kerb, Plexcel, JCIFS and
> others are the only true *Single* Sign On solutions where the clients
> existing credentials are used to transparently authenticate without
> requiring the user to enter a password. These use either the original
> WWW-Authenticate: NTLM protocol (obsolete), raw NTLMSSP (rare), raw
> Kerberos 5 (rarer) or SPNEGO (very common - used to "negotiate" either
> NTLMSSP or Kerberos 5).
>
> Mike
>
> --
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/
>