We decided to retire one of our Windows 2008 (32-Bit) servers, hosting multiple classic ASP intranet applications. Our immediate choice was another VM, that runs Windows 2008 R2, 64-Bit OS with IIS 7.5.x as intermediatory until we setup a brand new VM running Windows 2019 & soon realized that we were in tight spot as any attempt to access intranet application(s) from the new host started prompting for authorization for applications that were using “Windows Authentication”. All our application servers are domain members, so are our clients.
We did an apple to apple comparison between servers/IIS setup, visited dozens of threads & yet were unable to fix the “problem”, that was the site/application asking for authentication for a user who is already authenticated by the Active Directory!
Credits:
- Configuring Web Browsers for Active Directory Integration | MIDAS
- How to enable NTLM for all intranet sites in Firefox? – Super User
- iis 7.5 – Intranet website – getting a login box although I have configured Windows Authentication in IIS – Server Fault
Although Midas site article Configuring Web Browsers for Active Directory Integration | MIDAS clearly mentioned about adding the website to local intranet zone, we missed it completely!
After referring third link, had the answer to our problem. Actually, if a client wants to negotiate authentication using “Windows Authentication” through a website by passing currently logged in user credentials, that website should be in Local Intranet zone, which was, for us controlled using a Group policy. This is strictly to make sure that user details are not shared with Internet zones, as a security measure.
Once the new site name was added to the zone list and group policies updated, we were able to access the intranet applications without further issues.