One of the things I work on at Wharton is a student portal. The portal is a public web site but most features are protected by a web form log in. A common complaint from students is that they’re forced to log in to the web site after they’ve already logged into a school computer lab computer with the same exact account. Shouldn’t the portal already know who they are without another log in?

After doing some experimenting, I’ve found it’s possible to combine anonymous access, web form authentication, and Integrated Windows authentication. I’m throwing out my approach in case anyone needs to do something similar. We run ColdFusion on IIS servers to power our apps but you may be able to adapt this for other platforms.

Our web apps rely on Active Directory domain accounts to authenticate users. And our web environment runs on Windows machines. One of the nice things about Windows IIS web servers is the Integrated Windows authentication security option. Under this setup, any user logged into a machine with their domain account can access a secured web site without reentering a username and password.

One of the drawbacks to integrated auth is that users have to be logged into their computer with an Active Directory domain account to use it. And most browsers won’t support it by default. Anyone that visits a site secured with integrated auth that isn’t setup properly gets an ugly browser popup box asking for a username and password. This isn’t a very elegant option for securing a public web site. But it can be useful for users in a computer lab or a corporate office where you have some control over client computers.

So here’s the general process when a student in a computer lab visits the portal.

  • If they’re coming from an ip address in a range used by our labs, the app redirects them from the homepage to a subdirectory of the site. This subdirectory has anonymous access disabled and Integrated Windows Authentication enabled in IIS. The parent site folder has anonymous access enabled.
  • A script in the subdirectory detects if integrated auth has been negotiated. In ColdFusion integrated authentication has passed if the cgi.remote_user or cgi.auth_user variables are populated with a username. The value comes through as DOMAIN\username.
  • If the username is there then the script logs that username into the portal app and creates a session. Then it redirects them back over to the root of the site as a fully logged in user. All the extended features of the site are accessible without a manual log in.

It sounds like a lot of steps, but the redirects are unnoticeable. The user requests the regular URL for the site and arrives at the site logged in automagically. It’s seamless.

If you’re going to try out integrated auth, you’ll need to tweak your browser a bit. Recent versions of IE require that the URL of the site be added to the Intranet Sites trusted list. Recent versions of Firefox also support this but require a few configuration tweaks. Check out How To: Firefox and Integrated Windows Authentication for more details.