We see it almost every week, someone posting a question in a forum asking “Why does my web site prompt me for my user name and password?” And yes, there are a lot of reasons this can happen, but we see an awful lot of posts where someone is at a loss for why, even after they’ve reconfigured the permissions and authentication several times. And it doesn’t matter what version of IIS they’re using, just that it’s Windows Authentication. Crazy, but the solution has nothing to do with the server, it’s all on the client side.
Several years ago, hackers got smarter. (Okay, they get smarter every day, usually quicker than most of us…) To keep up with the hackers, programmers got smarter too. And browser programmers decided that they wouldn’t pass an authentication request to an untrusted domain. Which is very smart. But can lead to a double authentication issue. What happens is a user logs into their Windows system. Then they visit a web site, usually on an intranet, that requires them to be authenticated through Windows. And the danged site asks them to authenticate again. All because the browser copped an attitude and won’t let the web site know that the user is already logged in, simply because the browser doesn’t trust the web site.
The solution is simple. Tell the browser to trust the web site. How you do that may be a bit less than simple. For example, in Internet Explorer (all versions from 5 up…), open the Tools menu and choose Internet Options. On the Security tab, choose the Intranet Zone and click the Sites button. In the Sites dialog, click the Advanced button. And in the dialog box, enter the web site by server name, Fully Qualified Domain Name or IP Address of the web site. Click on Okay and accept everything to save it and you’re golden. Other than having to do this on every single client.
Internet Explorer Group Policy
Fortunately, Windows Group Policy allows you to handle this across your Active Directory domain. Create a group policy that applies to Authenticated Users, and set the following policy:
User Config > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Enable the Site to Zone Assignment List and add your intranet domain to the list in the following format:
{Host/Domain}
{Zone}
Where {Host/Domain} is the FQDN, server name, domain name or IP address of your site and {Zone} is a number as follows:
1 – Intranet Zone
2 – Trusted Sites Zone
3 – Internet Zone
4 – Restricted Sites Zone
So, to add the www.sample.com web site to the Intranet Zone so Internet Explorer will pass credentials, create your list as such:
www.sample.com 1
Firefox
To set Firefox to pass authentication through to your web site is a little less direct. You need to edit the Config file, as follows:
Open Firefox and in the address bar type about:config and press Enter. In the config preferences, find the line for network.automatic-nlm-auth.trusted-uris and double-click it. Enter the web site URL in the dialog box, click Okay and restart Firefox. Now your browser will also pass credentials to a web site.
Disclaimer
As usual, any knowledge of Mr. Phelps or his IMF team is denied. Other than the cool TV shows and the adequate Tom Cruise movies of course. (Although Thandi Newton was hot in MI II…). We also, quite naturally, disavow any knowledge of this post if you foolishly follow our advice and break your system. Or someone else’s. Except Mr. Phelps’ system, since he and his team don’t exist…
