Hi Kim,
Thank you very much for your response.
InlineCredentials looks promising.
1) I suppose this also allows Kerberos authentication ?
2) What is not so clear from the image in the documentation , is this only possible for agents being installed on the protected website (host) itself (no network separation). Or can this also be used to let the agent on IIS forward the request to another server (potentially also IIS webserver)? Question is then how is account/credentials forwarded to other server (is this the usual way using extra headers), and does the user (requesting the url) receives eventually also a token via cookie ?
Context for my questions:
We are moving our custom applications to another datacenter.
The company want to create separate network layers on the server side (for security).
First layer (where requests first arrive) on which authentication needs to happen (that is their requirement, cannot be forwarded to next layer), second layer where the real application server is located.
Application server is using Microsoft .NET technology and internally makes use of Windows integrated authentication to make authorization decisions.
So ideally we can use CA single sign-on (siteminder) (WIA) on first layer on some IIS (to have WIA) which then forward to another IIS, which ideally can still use WIA (converting to supporting some headers is possible if WIA here is not possible).
Logically I would think that using Kerberos authentication on first layer and then having the agent using Kerberos delegation to access the application server should technically be possible and should fullfil our objective of having a security layer transparent to the application server, and transparent to clients (meaning no redirections)
Hope this makes any sense, if not please let me know.
Thanks in advance,
Alex Goeman