How to authenticate sub-domains with same credentials

Question

NET 2.0 Domain ie..xyz.com and 2 subdomains 1.xyz.com and 2.xyz.com - all three use the same dbase security via SQL but are written in as separate applications C# and VB.

How can I easily manage the login credentials across sites since the authentication will need to occur separately in each web app, I would like to make it seamless.. Can I store in cookies and have login.asxp check the cookies.. surely but I need guidance in how to write this...Craig

Answer 1

Since you're considering using cookies, I'll assume what you're asking is how to implement Single Sign On (SSO) for your web application users. They log into one site and have access to multiple sites in the same domain without having to re-type their password.

There are probably many ways to do this, and I doubt you would ever come up with a single way that any group of IT security people would agree is secure. IT security sort of works that way for some reason.

Anyhow, you might look at how Kerberos [ http://en.wikipedia.org/wiki/Kerberos_(protocol) ] performs authentication. It can be a bit complicated to get set up properly, but it would allow you to "kerberize" your applications and provide single sign-on. This has some issues though in that the web client can't be entirely trusted to not allow the user's password to be disclosed. This might be a risk you're willing to accept depending on the importance of the data.

There are probably some Open ID solutions that might work too, but I'm not all too familiar with the protocol in particular. A lot of businesses would have a problem with their users visiting a third party side to establish credentials, so that might be out. Based on the URL authentication, you may have to end up reverse-proxying all your sites to make it so that users don't have to set up authentication to each application at least once.

Hope it helps.