IIS Website asks for Username and Password

We see it almost every week, someone posting a question in a forum asking “Why does my web site prompt me for my user name and password?”  And yes, there are a lot of reasons this can happen, but we see an awful lot of posts where someone is at a loss for why, even after they’ve reconfigured the permissions and authentication several times.  And it doesn’t matter what version of IIS they’re using, just that it’s Windows Authentication.  Crazy, but the solution has nothing to do with the server, it’s all on the client side.

Several years ago, hackers got smarter.  (Okay, they get smarter every day, usually quicker than most of us…)  To keep up with the hackers, programmers got smarter too.  And browser programmers decided that they wouldn’t pass an authentication request to an untrusted domain.  Which is very smart.  But can lead to a double authentication issue.  What happens is a user logs into their Windows system.  Then they visit a web site, usually on an intranet, that requires them to be authenticated through Windows.  And the danged site asks them to authenticate again.  All because the browser copped an attitude and won’t let the web site know that the user is already logged in, simply because the browser doesn’t trust the web site.

The solution is simple.  Tell the browser to trust the web site.  How you do that may be a bit less than simple.  For example, in Internet Explorer (all versions from 5 up…), open the Tools menu and choose Internet Options.  On the Security tab, choose the Intranet Zone and click the Sites button.  In the Sites dialog, click the Advanced button.  And in the dialog box, enter the web site by server name, Fully Qualified Domain Name or IP Address of the web site.  Click on Okay and accept everything to save it and you’re golden.  Other than having to do this on every single client.

Internet Explorer Group Policy

Fortunately, Windows Group Policy allows you to handle this across your Active Directory domain.  Create a group policy that applies to Authenticated Users, and set the following policy:

User Config > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

Enable the Site to Zone Assignment List and add your intranet domain to the list in the following format:


Where {Host/Domain} is the FQDN, server name, domain name or IP address of your site and {Zone} is a number as follows:

1 – Intranet Zone
2 – Trusted Sites Zone
3 – Internet Zone
4 – Restricted Sites Zone

So, to add the http://www.sample.com web site to the Intranet Zone so Internet Explorer will pass credentials, create your list as such:

http://www.sample.com 1


To set Firefox to pass authentication through to your web site is a little less direct.  You need to edit the Config file, as follows:

Open Firefox and in the address bar type about:config and press Enter.  In the config preferences, find the line for network.automatic-nlm-auth.trusted-uris and double-click it.  Enter the web site URL in the dialog box, click Okay and restart Firefox.  Now your browser will also pass credentials to a web site.


As usual, any knowledge of Mr. Phelps or his IMF team is denied.  Other than the cool TV shows and the adequate Tom Cruise movies of course.  (Although Thandi Newton was hot in MI II…).  We also, quite naturally, disavow any knowledge of this post if you foolishly follow our advice and break your system.  Or someone else’s.  Except Mr. Phelps’ system, since he and his team don’t exist…


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s