We have a two-server setup where Server1 is the internal server and Server2 is the external server.  Currently, we have it setup where the internal server automatically logs in our internal company users.

Now we're bringing on an external client and at the moment, we are caught between two choices: the server challenges the external user and then drops them to our login page, where they log in again (this requires the user to be in AD, I believe), or remove the server challenge, but now the internal user must login rather than being auto-logged in.

We've been poking at the IIS and integrated authentication settings in OutSystems and IIS for two days now, and we can't seem to find the right combination to give us:

1)  Internal users are automatically logged on.
2)  External users are not challenged by the Windows Security login.
3)  External users are directed to the login page where they log in only once.

Simply setting anonymous all around had the unintended consequence of dropping them through the login page and they were actually logged in the program, though had no rights.  Any time we remove anonymous authentication, we get the Windows Security login pop-up.  If we remove Integrated Authentication, internal users are not logged in.

How can we set this up such that the three requirements are satisfied?
did you find an solution?

Not exactly.  We have to turn off the integrated authentication in order for the server not to challenge our external users, which disables the auto-login for our internal users.  It seems that OutSystems remembers you and will auto-login you in if you have a cookie (or something) set, so luckily our internal users don't have to log in very often (maybe once a day?).  It's an acceptable trade-off at the moment in order to expose our application to the client, but we're still looking at ways of having our cake and eating it, too.

Hi Chris,

Just bumped into this post. I will face the exact same challenge in a couple of months. Have you got around this somehow?



We have not gotten around this.  We still require our internal users to login instead of being automatically logged in via AD.  There's a desire to keep our external users out of AD, so everyone is forced to login now in order to allow external access.

Thanks for the prompt feedback.