IE does not send NTLM domain

Question

I have a problem with NTLM single-sign-on with IE8.

We've got multiple domain controllers and users from multiple domains that we try to authenticate to a web application via NTLMv1 passthru.

Somehow IE fails to send the user's domain in the NTLM Type 1 message. This has the effect that the webapp can not match users properly to their domain controllers, resulting in failed logon attempts, because a user from domain X tries to authenticate to domain controller Y.

This problem does not occur with Firefox, as it always sends the correct domain header.

So: how do I get IE to send the domain in the NTLM header?

score 1 · Answer 1 · answered Aug 13 '12 at 03:34

1

IE will only pass the domain if it is part of the local intranet. Check your intranet settings / group policy to determin if you have turned off that section.

answered Aug 13 '12 at 03:34

Mitchell Skurnik

172
2
10

score 0 · Answer 2 · answered Feb 18 '11 at 14:09

0

Ok, I think I found the solution. IE never sends the domain, unless the target is the localhost. So if the ntlm implementation can't defer AD resolution until message type 3, you're out of luck.

A detailed desrciption of the issue: http://lists.samba.org/archive/jcifs/2004-April/003363.html

answered Feb 18 '11 at 14:09

Michael Böckling

301
3
15

Is the site listed in your Trusted Sites in IE settings? – BenC Jul 12 '12 at 19:46

IE does not send NTLM domain

2 Answers2