|
|
Posted by Rik Wasmus on 12/31/07 16:56
On Mon, 31 Dec 2007 17:04:28 +0100, adam.waterfield@gmail.com
<adam.waterfield@gmail.com> wrote:
> Maybe someone could help me a little here.
>
> On a project I am working on, we have some LDAP authentication to
> Active Directory which allows users to login to our application - this
> is fine. When accessing this application from off campus, they
> routinely get this login window confused with the one they login to
> Exchange Sever with for their email.
>
> I am wondering if it is possible to setup some kind of button/link
> that is displayed after they have logged in (to the web application -
> not Exchange) that will redirect them to their email inbox without
> having to login again.
>
> I could setup a form that posts to the Exchange login script, with
> their username and passwords in hidden fields, but I don't see this as
> being secure - perhaps if the password was encrypted (encrypted as
> what, though?) I would feel more at ease with this. (Not tried this,
> perhaps it would even work?)
>
> Basically, as we know their AD login credentials, all I need to know
> is it possible to pass them to the Exchange Server so they can bypass
> the login process for Exchange. All I want to do is try and avoid them
> logging in twice - once to their email and once to our application.
>
> I hope you follow me, any help would be greatly appreciated.
Not having worked directly with Exchange consider the following:
1. You know their login/password.
2. You let the link 'to Exchange' point to a 'portal'-page on your own
site/domain.
3. In that page you start a session with Exchange using perhaps the cURL
library.
3. You pass all cookie/get values directly through to the user, take extra
care to set it for the domain of the exchange server.
4. You redirect them to the page you were send to in your earlier request.
Not having worked with Exchange myself, you might want to examine wether
it works with cookies for authentication (in which case, if you are on a
different (sub)domain, your users would probably have to teach their
browser to accept any cookies you sent for that other domain), or wether
it works with a session-id in a GET value, in which case there would be no
problem passing that back to the user.
--
Rik Wasmus
Navigation:
[Reply to this message]
|