This tip is useful for organizations who are standardized on Microsoft technologies (Active Directory, IIS, and ASP.NET) and need to provide minimal-intrusion authentication for their internal web applications. I was stumped for a long time on this one. Here’s the scenario:
All of my ASP.NET applications – at this point – are internal to the organization that I work for. We are a strictly Microsoft shop, and, because of this, I always leverage Active Directory in everyway possible. Well, this is great from my (a developer’s) perspective, as it means that I don’t have to build and maintain a login system. However, I recently started getting feedback from users across the country saying that they were being challenged with a login screen when they accessed the applications. This was okay, as they could still get in using their Active Directory accounts, but sometimes they had to append the domain to the beginning of their name, and it all became kind of a pain.
We are a diverse organization, in that we have many different network configurations. Some of our users are on high-quality T1 connections, while others are still on intermittent – at best – connections. Because of this disparity, I initially blamed the login problem on different network configurations (firewalls, distance to domain controller, etc.), but after doing a bit more research I found that the problem was actually browser related.
By the way, the Internet Explorer setting can also be implemented via group policy (thanks to Chris, James, and Marilyn for helping me figure this one out). Look in the registry at:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
So, here are the steps you need to take to enable NTLM pass-through authentication in Internet Explorer (6 & 7) and Firefox (2):
Internet Explorer
Note: These instructions apply to both IE 6 and IE 7, although there may be slight differences in the screenshots below.
Note2: For some reason, some of the entries that are added to the Local intranet zone seem to be persistent. You’ll delete them in the interface, close all the windows out, come back and they’ll reappear. The only way I found to permanently get rid of them was to manually delete the registry entry located at the location cited just above this section.
1. In Internet Explorer, click on Tools and select Internet Options (see screenshot below)…
2. Next, click on the Security tab at the top of the Internet Options window (see screenshot below)…
3. Once the contents of the Security tab are displayed, highlight Local intranet and click on the Sites button (see screenshot below)…
4. In the Local intranet dialog that pops up, make sure that the last three boxes are checked and click on the Advanced button (see screenshot below)…
5. In the next dialog, type the following into the Add this website to the zone: textbox: http://www.yourdomain.org and click on the Add button (see screenshot below)…
Note: If you’d like to enable Active Directory pass-through authentication for all the sites on a domain, type the following into the Add this website to the zone: textbox: http://*.yourdomain.org.
Mozilla Firefox
Note: These instructions have been tested on Firefox 2.0.0.1.
Note2: Information first encountered here: http://ackbarr.xoops.org.
1. In the address bar of your Firefox browser window, type the following: about:config and press Enter (see screenshot below)…
2. In the configuration page that displays, scroll down to the following entry: network.automatic-ntlm-auth.trusted-uris and double-click on it (see screenshot below)…
3. In the Enter string value that pops up, type http://www.yourdomain.org into the textbox and click OK (see screenshot below)…
Note: If you’d like to enable Active Directory pass-through
authentication for all of the sites on a domain, type the following
into the textbox: .yourdomain.org.
{ 2 trackbacks }
{ 16 comments… read them below or add one }
Hey! This is a great post… specially about Firefox settings, so you don’t need to provide AD credentials all the time. I have only one problem with these settings – in intranet we usually omit the “.yourdomain.com” … so we use short web addresses like http://server_name/ … is there a workaround for pass-through authentication to work with short names too?
Thanks a lot!
Hi Tejc,
Sorry about the delay in getting back to you; I’ve been out of touch for the last couple of weeks.
If your organization uses Active Directory, then you have at least one domain registered. Just use whatever domain name that has been set up (e.g. test.gov, test.com, test.org, etc.) with the “*” before it and it should work for you.
Hope this helps.
I have a NTLM authentication errore with IE but it works fine with firefow with this procedure. Do you know what I could do with my IE config?
Thanks
Hi gilles. Can you give me more specifics? What error are you getting in Internet Explorer? What version of Internet Explorer are you using? Are you being presented with a login dialog when you hit the application?
My error is : when the site is not into the local intranet I am prompted (it’s normal) but when I put the site into the local intranet I have an error on IE ” Internet Explorer cannot display the webpage” it’s like when I’m not connected to the network.
Just a remenber, everything works fine with firefox when I added it into the about:config.
Thanks
Soory it’s IE 7.
I’ve seen similar behavior before. Try this:
In Internet Explorer, go to “Tools>Internet Options”. Click on the “Security” tab. Select “Local Intranet” and click on the “Custom level…” button. Next, set the security level to “Low”. This shouldn’t be a security issue, as we are talking about intranet sites here.
This has helped me before.
Are you the developer of the application that you’re trying to access? The reason I ask is that I’ve seen this behavior when there are issues with server-side code. A good way to decipher these issues in Internet Explorer is to install Fiddler and monitor the http transactions when hitting the application. These can give you a good idea as to what the issues are (ir there are any). It is odd that it is working in Firefox but not Internet Explorer.
Hope this helps.
The website is a MOSS website (intranet). I have test it on 4 machine but this work on only one. But the IE settings seems to be exactly the same. May be into the registry????
Thanks for your help.
Ahhh yes, good ‘old Sharepoint. Within our organization, we’ve noticed some inconsistency in which users are challenged for credentials when hitting Sharepoint sites. We’ve always written it off to things that are out of our control, including 1) physical network topology, and 2) MOSS configuration.
That said, we’ve had a lot of luck with the methodologies outlined in this post. We’ve been able to implement an organization-wide group policy that adds http://*.yourdomain.org to all Internet Explorer installations, and it seems that this works for the vast majority of our users.
Thanks for the update.
But always no luck on my side. I change the value with the GUI. may be if I did it with a group policy does it work?
Thanks again.
Well, if it isn’t working when you manually set the trusted site in Internet Explorer, it probably isn’t going to work if you do it via group policy.
If you’re using the wildcard method outlined above (http://*yourdomain.org), you may want to try setting it for the specific site that you’re talking about (http://www.yoursite.com).
No luck on my side, always the same mistake.
Do you know if I can make another test?
Thanks again
Sorry, I’m about out of ideas. Can’t say I didn’t try. ;-)
Thanks for your help and i’ll let you know if I found a workaround!!!
Thanks a lot for the workaround (especially for firefox), where I was confused about how to add a site to intranet
Thanks a ton! I have been looking for this for quite some time!