SSO Setup for behind-the-firewall sites

Applies To

  • Behind The Firewall (BTF) Installations of UniversitySite
  • Does not apply to UniversitySite Cloud Sites

Intended Audience

  • System Administrators

Background

When UniversitySite is installed behind the firewall on an internal Windows server, single-sign-on (SSO) allows users to access the site without being prompted supply credentials.

Setup

1

Enable SSO in UniversitySite

Launch UniversitySite

Navigate to InstructorSite /Global Settings/ Login Settings (In the User's section towards the bottom of the page)

Choose "Use Windows Authentication"  and click Save Settings.

2

Enable Windows Integrated Authentication in IIS

On the Web Server, launch IIS

Navigate to the UniversitySite folder, enable Anonymous, Basic authentication, BUT make sure Windows integrated authentication is Disabled

Navigate to the UniversitySite folder, switch to Content View, right-click  LoginViaWindows.aspx then choose Switch to Features View.  Open the authentication item, enable Basic authentication, enable Windows integrated authentication, and disable Anonymous access.

On the loginviawindows.aspx in IIS Authentication.

Click on Windows Authentication to select it and then click on Providers in the Action section of the right hand column.
b3cc06f28984729ad16e3ead91cfe396.pngThis will pop-up a dialog showing the enabled providers. Remove the “Negotiate” provider by clicking on it in the list to select it and then clicking on Remove.

IISProvidersDialog.png

3

Follow the steps listed here to  setup your application pool for integrated pipeline mode

Testing

From a workstation, launch your browser and navigate to UniversitySite.  If things go well you won't be prompted to supply your credentials.

Troubleshooting

Here are a few of the most common issues we run across:

  1. You may need to add <add key="AllowWindowsAuthForEntireSite" value="true" />" to the app.config at \universitysite\app_code\  if you are seeing the error: Windows Authentication should be disabled for /PR-5501 in IIS.
  2. Users don't have permission to access the UniversitySite folder.  To rule this out, temporarily grant 'Everyone' full control of c:\inetpub\wwwroot\UniversitySite or it's equivalent.
  3. Error: This operation requires IIS integrated pipeline mode
  4. Windows 2008 server needs to be rebooted.  If SSO was working fine and then all of a sudden users start getting prompted to login even though you haven't made any configuration changes to IIS, you may need to reboot the web server.  You can try restarting IIS, but it won't fix the problem.  About once a month we hear from a client who is having this problem and investigating every other possible cause, rebooting the server is the only resolution we have so far discovered.

Still need help? Contact Us Contact Us