I had to build a sign-in page for some of our subsidiaries. The initial page queries their local LDAP and if the correct credentials are entered they are then presented with two bookmarks. The 1st bookmark goes to a custom website which I post the userid to and then logs in. The 2nd bookmark goes to a different web that is supposed to prompt for a username and password. Instead, I get a dialog prompting for username, password, and realm with the realm prefilling itself in with the domain. This login is a local login and not a domain login and I'm confused as to why it is coming up this way. The server where the web resides is a domain server, but I'm trying to login to the website using local credentials, not the server itself which I think the SA may be going after. At the end of the URL after clicking on the bookmark, I see: &domain=MY.CORP.COM&sidebar=off&proxy=0&ssoType=3
I'm fairly new to all of this and greatly appreciate any suggestions on how to resolve this.
Solved! Go to Solution.
The IVE will only follow the response that we get back from the web server when trying to access it.
If you see a pre-filled realm filed it means that the backend web server could be a kerberos protected resource.
On the IVE ensure that you dont have any SSO enabled for the 2nd web server for either kerberos/ NTLM/ Basic auth.
This gaurantees that IVE is not supplying any pre-known credentials and is only intermediating whatever the backend server requests for.
also try and access the 2nd web server without the IVE and see what prompt you get for user credentials, this will confirm if what you are seeing through the IVE is same as what you see without the IVE.
Thank-you for your response. I now think the problem may not be SSO, but the way the page is being rewritten. If you access the bookmark resource directly using the FQDN (http://server.domain.com/share) it prompts you for domain credentials. If you go after http://server/share it redirects to a login page where you can log in locally. Logging in locally is what I need. Is there a way to rewrite without using the FQDN? With FQDN it is trying to log into the server, not the application residing on it. I need to rewrite because the resource is an internal server being accessed through the IVE.
@l0stb0y: not generally. Can you confirm which form you have the bookmark configured as?
Do all users use the same credential to login or is it varied per user? If it static, can you create an NTLM SSO policy for the one credential?
While it is a little klugy, I have allowed access to an internal web server by non-FQDN by putting an entry in the HOSTS section of the Network Configuration. Or, I think you could configure the DNS suffix in the Network Configuration.
Thank-you to everyone for the suggestions. It turns out the web page for the local login requires NTLM itself to present the login dialog. We can't change the web page to anonymous because then it would break the single signon for people who use their NTLM credentials to log in normally. So instead I'm using NTLM SSO and a domain account that has rights to display the page, but not rights to log all the way into the application. I'm now able to get the login page to display for my external users.