Frank.Neumann - Friday, August 24, 2012 4:58 AM:
Hi,
from one of our customers we are facing the requirement to handle authentication using the SSPI APIs (msdn.microsoft.com/.../aa380493(v=vs.85).aspx )
Does anybody know whether the Aras module for Active Directory / LDAP Single Sign-On Integration supports SSPI?
If not I would be interested to learn about extension points to write an authenication provider based on SSPI.
Regards,
Frank
aknourenko - Friday, August 24, 2012 1:24 PM:
Standard Aras Innovator client is running in IE which handles all low level authentication protocol to the server (IIS). In other words, Aras does not have any special module for Active Directory / LDAP Single Sing-On but rather relies on the authentication mechanism between the client hosting application (IE) and the hosting server (IIS).
It's true that Aras Innovator has so-called "Windows authentication" mode that enables single sign-on for domain users but this functionality works the following way:
- There is a single resource (login.aspx) that must be configure with Windows authentication under IIS; all other resources could be configured with anonymous access only.
- A special DLL that implement "log-on hooks" must be registered in the Innovator server configuration file.
- When from a particular IE user sends the very first request to the Innovator server, the request is redirected to login.aspx. At this point IE and IIS perform the user authentication using one of SSPI implementations they both support. If the user was successfully authenticated then the login.aspx page is executed and the "log-on hooks" from the registered DLL are eventually called from the login.aspx. The hooks generate a hash value that is used as the password for the Innovator user and log in the user into Innovator.
-AK
Frank.Neumann - Monday, August 27, 2012 7:48 AM:
Thank you.
Frank
