No “double hop” allowed..how about a “trusted ajax hop”?
So I posted about a Microsoft .NET limitation that does not allow a users NTLM credentials to go beyond a single “hop”. This is the hop from the browser to the IIS server that works like a charm so the user never sees an authentication prompt. If they are logged into the same domain as the IIS server then their NT credentials get passed. It is when you then want a .NET application to connect to a remote resource with these credentials that the glorious integrated authentication fails.
Far be it from me to give up, or buy the suggested remedy: Kerberos, so I wondered about some AJAX fun.
That is all well and good, but we are trying to pursue an application architecture that leaves the web services/XML feeds on whatever servers they exist and we do not have a very cohesive domain strategy in house. This means that the odds of us going up against the cross domain limitations of the XMLHTTP object are very high.
Then I wondered about something that used to annoy me; Internet Explorer Security Zones. IE implements a cross-domain trust model that allows the browsers to be configured to trust servers that may not necessarily be in your domain, or use an IP address instead of a FQDN. We do have centralized management of desktops so this should not be too hard (knock on wood) to implement.
Any server that exposes web services/XML feeds to be used by our portal will be listed in the trusted sites list and we can use our single sign on environment, along with taking some load off the portal server. A Javascript call using the XMLHTTP object runs with the credentials of the browser user so my services/feeds that are served by Domino, that runs behind IIS, should work seamlessly (stay tuned).
EDIT: This seems to be working like a charm so far……..