IIS NT Auth - How to get Domain users automatically authenticated

Hi,

Just running a local example on my windows XP pro SP2 box, I have a
virtual directory that I turn off anonymous access for. I want people
to use their domain accounts.

As per an article I just read online, if I refer to the site as
http://localhost/site then it works, as in, it detects that I am
already logged into the domain and does not ask me for
authentication.

If I refer to it by its real world name or IP address, I get prompted
to login. This is all detailed in an article I just read which says to
get around this, I need to put an entry for the FQN into my trusted
"intranet" sites in IE security settings. I've done this but it makes
no difference. I closed all browsers and it still makes no difference.

How can I make it just detect that I am already authenticated to teh
domain as per my machine login, and let me access to the site without
prompting for credentials? I've tried both IE6 and IE7.

Thanks,
Steven

Re: IIS NT Auth - How to get Domain users automatically authenticated

FYI:
- Your question is about IE auto-login behavior.
- This newsgroup is for IIS, the web server.

Technically, this is an off-topic question so do not be surprised at
the answers.

> How can I make it just detect that I am already
> authenticated to teh domain as per my machine
> login, and let me access to the site without
> prompting for credentials? I've tried both IE6 and IE7.

The issue is NOT that IE fails to detect you are already authenticated
to the domain. IE does detect that you are already authenticated.
However, it chooses to auto-login with the domain credentials based on
the security zone of the requested URL.

dotted-IP address or dotted-FQDN is treated as "Internet" Zone, which
does not auto-login by default -- thus, you get the credentials
prompt. http://localhost is treated as "Intranet" Zone, which does
auto-login by default.

Bottom line -- you need to put the DNS name of the website into the
appropriate IE Security Zone and make sure that Zone does auto-login,
and it should work. By default, dotted-IP address and FQDN go to
Internet Zone which does not auto-login while non-dotted name goes to
Intranet zone which auto-logins. Of course, behavior can change
depending on your IE configuration.

Additionally, you need to know that some authentication protocols may
not work when routed over the Internet, like NTLM (Integrated
Authentication), so depending on how your networking is set up to
route your website's DNS name, authentication may still fail even
after you configure IE to auto-login -- but the issue has nothing to
do with auto-login at that point. I'm pointing this out because the
browser behavior will look very similar; unless you look at the
details closely, one can be easily fooled.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On May 9, 10:58 pm, Steven Nagy wrote:
> Hi,
>
> Just running a local example on my windows XP pro SP2 box, I have a
> virtual directory that I turn off anonymous access for. I want people
> to use their domain accounts.
>
> As per an article I just read online, if I refer to the site ashttp://localhost/sitethen it works, as in, it detects that I am
> already logged into the domain and does not ask me for
> authentication.
>
> If I refer to it by its real world name or IP address, I get prompted
> to login. This is all detailed in an article I just read which says to
> get around this, I need to put an entry for the FQN into my trusted
> "intranet" sites in IE security settings. I've done this but it makes
> no difference. I closed all browsers and it still makes no difference.
>
> How can I make it just detect that I am already authenticated to teh
> domain as per my machine login, and let me access to the site without
> prompting for credentials? I've tried both IE6 and IE7.
>
> Thanks,
> Steven