AD Single Sign On (SSO), browsers and networks

Question

I'm trying to determine if SSO is what I want to use in my scenario. All of our users are in an AD. I have some web-based services that authenticate via the AD (currently they ask the user for a login when they visit the sites). Key points:

• All users have a windows laptops joined to the AD.
• Sometimes they access these websites on the LAN (AD server accessible), sometimes via the internet (AD server inaccessible).
• Some users may want to access these websites through a non-AD computer (e.g. tablet, phone, home computer)
• Users use a range of different browsers.
• The websites are mostly running through apache on linux servers

Does AD-based SSO work:

• if the client machine cannot contact the AD server directly? e.g. the laptop has logged in using cached credentials?
• if the user is using a browser other than IE?

Is it possible to have fallback auth mechanisms in place? e.g. if SSO is not possible, then fall back to http auth or cookie auth?

Cheers,

Victor

Answer 1

You might get more flexibility through ADFS which is a Windows component that allows you to use claims based authentication.

The intra/extranet sceanrios are simpler, the interop story is quite good. (Since your web sites are non Microsoft ones).

Tons of documentation in TechNet

Answer 2

Yes, if cached credentials are used, when browser requests a Kerberos service ticket, the cached credentials are used by Windows to get a TGT for the user and then the service ticket is requested. This is transparent to the user, so they get same experience as if they were in office, connected to the LAN, and not using cached credentials.

Some other browsers support the Negotiate protocol, not just IE. I am aware that Firefox does, and I think Safari does also.