| Federation Reflection: A Better Way To Do Pass-Through Authentication? |
| Tuesday, 07 November 2006 by Michel Roth | |||
|
The way this works, in a nutshell, is the following: 1. From a domain workstation, the user points IE to an IIS domain member web server. IIS performs Integrated Windows Authentication (using either NTLM or Kerberos) to ascertain the user's identity. 2. Web Interface reads the user identity and performs a lookup to determine which domain groups the user belongs to. 3. The list of groups (SIDs) is sent to the Presentation Server XML broker and the applications published to those groups is returned to Web Interface. That takes care of getting the icons painted on the web page, but connecting to one of those application uses an entirely different authentication method: the ICA client must eavesdrop on the user's workstation logon, store the credentials in memory (ssonsvr.exe) and then replay those credentials (or send a Kerberos ticket) through an ICA virtual channel when connecting to a Presentation Server. As you can see, the initial web server authentication does nothing to help with the ICA session authentication. If you have ever struggled with a deployment of Web Interface that uses the "Pass-through" authentcation method, you are all too familiar with the pain-points that this situation creates... You can eliminate those pain points by leveraging the ADFS-enabled version of Web Interface. This is available today as a special post-4.2 release, and ADFS support will be part and parcel of Web Interface 4.5 when it ships. Read the entire article here.
Show/Hide comment form
 |
|||
