两个Web应用程序之间的单一标志？

Question

在我的SharePoint 2013服务器场中我有两个Web应用程序：

1. 简单的Intranet Portal（http://portal）
2. 我的网站（http://portal:8080）

   问题是用户必须对每个应用程序进行身份验证。例如，它们正在探索1.应用程序以及它们的进入2.（点击其他用户名并被重定向到我的网站），它们必须再次进行身份验证。

   我希望登录屏幕将被引起一次。 如何解决这个双重身份验证问题？

Answer 1

If you are just using the default Windows authentication this should not be a problem at all - even with claims based authentication. Make sure the SharePoint URLs are in the "Intranet Zone" of the browser and your users should be logged on automatically - even without Kerberos. For this basic scenario you don't need ADFS or any other identity provider.

Answer 2

OR...you could NOT use PORT numbers for your MySite web application and either create a unique URL like http://mysite or http://my (or whatever works for your organization and culture). Then set trusted sites.

OR, If the users are non-domain users (the new domain will trip an auth prompt when you switch hosts) you could create the MySite host under a managed path under the host you already created. Create a Managed Path like http://portal/my and then set up a Wildcard Managed Path for http://portal/my/personal for all of the personal sites.

With this configuration you will only be prompted once.

(I hate seeing port numbers in "public" SharePoint URLs...)

Answer 3

You need to configure ADFS with SharePoint. Essentially its a type of Claims Authentication with a conceptual walkthrough mentioned here

This is an excerpt from MSDN that explicitly mentions the flow of a single user from one web app to another in SharePoint

Visiting Two SharePoint Web Applications In this walkthrough, John visits the a-Portal SharePoint web application and then visits the a-Techs SharePoint web application.
John visits the a-Portal SharePoint web application.
- John browses to the Team site in the a-Portal SharePoint web application.
- John has not yet been authenticated, so SharePoint redirects his browser to ADFS.
- John enters his Adatum domain credentials;
- ADFS validates the credentials, issues a SAML token that contains his claims, and redirects the browser to the SharePoint STS (the "/_trust/" endpoint in the SharePoint web application).
- ADFS also creates an SSO cookie so that it can recognize if it has already authenticated John.
- The SharePoint STS validates the token from ADFS and issues a FedAuth cookie for the a-Portal SharePoint web application that contains a reference to John's claims in the SharePoint token cache.
- SharePoint checks that John has access to the Team site collection, and redirects his browser to the site.


John visits the a-Techs SharePoint web application.
- John browses to the Team site in the a-Techs SharePoint web application.
- John has not yet been authenticated for this SharePoint web application so SharePoint redirects his browser to ADFS.
- ADFS detects the SSO cookie that it issued in step 1-c, and redirects the browser with a new SAML token to the SharePoint STS.
- The SharePoint STS validates the token from ADFS and issues a FedAuth cookie for the a-Techs SharePoint web application that contains a reference to John's claims in the SharePoint token cache.
- SharePoint checks that John has sufficient permissions to access to the Team site collection, and redirects his browser to the site.

Answer 4

http://msdn.microsoft.com/en-us/library/hh446525.aspx

This gives you a pretty good overview of what you need to do. In a nutshell:

1) Set up SharePoint on Claims Authentication, each web application authenticating to Active Directory (or a custom provider if you'd rather)

2) Configure the Security Token Service so everyone is on the same page

Not easy to do, but should be workable. Try in a development environment first please as a failure can be pretty fragile to authentication.

Answer 5

Use ADFS authentication this should solve your problem. Let me know if you need additional information