Why does Internet Explorer keep asking me for NTLM credentials in an intranet zone?
Long text, sorry for that. I'm trying to be as specific as possible.
I'm on Windows 7 and I experience a very frustrating Internet Explorer 8 behavior. I'm in a company LAN with some intranet servers and a proxy for connecting with the outside world.
On sites that are clearly recognized as being "Local Intranet" (as indicated in the IE status bar) I keep getting "Windows Security" dialog boxes that ask me to log in. These pages are served off an IIS6 with "Integrated Windows Security" enabled, NTFS permits Everyone:Read on the files themselves.
- If I enter my Windows credentials, the page loads fine. However, the dialog boxes will be popping up the next time, regardless if I ticked "Remember my credentials" or not. (Credentials are stored in the "Credential Manager" but that does not make any difference as to how often these login boxes appear.)
- If I click "Cancel", one of two things can happen: Either the page loads with certain resources missing (images, styleheets, etc), or it does not load at all and I get HTTP 401.2 (Unauthorized: Logon Failed Due to Server Configuration). This depends on whether the logon box was triggered by the page itself, or a referenced resource.
- The behavior appears to be completely erratic, sometimes the pages load smoothly, sometimes one resource triggers a logon message, sometimes it does not. Even simply re-loading the page can result in changed behavior.
I'm using WPAD as my proxy detection mechanism. All Intranet hosts do bypass the proxy in the PAC file.
I've checked every IE setting I can think of, entered host patterns, individual host names, IP ranges in every thinkable configuration to the "Local Intranet" zone, ticked "Include all sites that bypass the proxy server", you name it. It boils down to "sometimes it just does not work", and slowly I'm losing my mind. ;-)
I'm aware that this is related to IE not automatically passing my NTLM credentials to the webserver but asking me instead. Usually this should only happen for NTLM-secured sites that are not recognized as being in the "Intranet" zone.
As explained, this is not the case here. Especially since half of a page can load perfectly and without interruption and some page's resources (coming from the same server!) trigger the login message.
I've looked at http://support.microsoft.com/kb/303650, which gives the impression of describing the problem, but nothing there seems to work. And frankly, I'm not certain if "manually editing the registry" is the right solution for this kind of problem. I'm not the only person in the world with an IE/intranet/IIS configuration, after all.
I'm at a loss, can somebody give me a hint?
The only time we see this is if a user's password has expired. When ever we see this we get the user to change their password, and for good measure log out and back in with the new credentials. The Intranet site no longer requests credentials.
Makes for a lot of quick support calls...
Also, make sure the Local Intranet zone is set up to Automatic logon with current user name and password. You can do this by:
- Tools
- Internet options
- Left click on Security tab
- Left click on Custom level
- Scroll down to User Authentication
- Under Logon, select Automatic logon with current user name and password
Perhaps some of the 4 part handshake going on with ntlm is getting lost in ie talking with the proxy? That is, if ie is asking the proxy about intranet pages...
I know you said you've tried putting sites in the intranet zone and setting them to bypass the proxy. Just curious though, what happens if you disable the proxy config in the browser altogether? No more pop-ups, right?