When a web application is secured by the DualShield IIS Agent with MFA, the agent adds an extra layer of authentication process over the web application's own form-based authentication. Without Single-Sign-On or Auto Logon, users will be firstly authenticated by the DualShield SSO, then by the web application's original login process which is usually the user's AD credential verification.
You have 2 options:
- Configure DualShield SSO to verify the 2nd factor only, e.g. one-time-password etc, and keep the application's original login process which will verify the user's AD credentials. In this option. you do not need to enable Single Sign-On or Auto Logon.
- Configure DualShield SSO to verify both the 2nd factor and the 1st factor. In this option. you will need to enable Single Sign-On or Auto Logon.
From the security point of view, both options have no difference.
From the user experience point of view. option 2 will deliver a more coherent user experience.
Between Single Sign-On and Auto Logon options, Single Sign-On is preferred as it is easier to set up and quicker in performance. However, some IIS web servers have such restrictions that it is not possible to enable Single Sign-On.