How does IIS request information from LDAP?

Question

When a user logs in to a SSO (Single Sign on) application, IIS makes a request to LDAP (Lightweight Directory Access Protocol) to get some user information for authentication. I am trying to find where the communication between LDAP and IIS happens (I am assuming that IIS sends a request to LDAP in order to get some user information). I have looked in the IIS Manager in windows and could not find the communication between IIS and LDAP. Does anyone know where I would be able to find the communication between LDAP and IIS?

Answer 1

If you're talking about Windows Authentication, then no, IIS doesn't use LDAP. It will use either Kerberos (preferably) or NTLM.

The mechanism is different for each, but basically, the user is already logged in on the client computer and sends their already-existing ticket to the server. The server just verifies the ticket with the domain controller. This means that the server must be joined to the same domain (or a trusted domain) as the user logging in.

For seamless SSO (where the user does not need to type in their username/password), the user must be logged into the client computer with the credentials they want to use on the website. If not, they will be prompted for credentials and the actual logging in will happen from the server.

If you cannot use Windows Authentication because the server is not joined to the same (or trusted) domain as the user, then you would have to implement LDAP authentication yourself. You would use Forms Authentication, ask for the user's username and password, and validate the credentials like this for example.