0

Technical Setup

We have a website set with no anonymous access on a webserver (webtest.work.local), and making use of two hostheader values (with appropriate DNS entries created):
1. mySite.uat.work.local
2. mySite.uat.companyName.co.uk

The domain we use is work.local

IIS Directory security is set to: 

Enamble Anonymouse Access = False (unticked)  
Integrated Windows Authentication = True (ticked)  
Digest Authentication = True (ticked)  
Realm = **work.local**

Problem

When I access mySite.uat.work.local it correctly identifies the currently logged in user to the domain (no login window displayed)

When I access mySite.uat.companyName.co.uk it always prompts me to supply the username and password.

Things tried

  1. Looked at the Windows Server 2003 SP1 issue, that didn't work (though it did get the mySite.uat.work.local working)
  2. Looked at using Authentication and Access Control Diagnostics tool to try and spot issues with authentication, it reported no errors

I think it has something to do with thinking that if you're accessing mySite.uat.companyName.co.uk then you are not part of the work.local domain and so therefore don't even attempt Integrate Windows Authentication, but that's just a theory

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Andrew Bickerton
  • 105
  • 6

1 Answers1

0

By default, Internet Explorer only performs "transparent" authentication for sites in the "Local Intranet" security zone. Your "mySite.uat.companyName.co.uk" is probably being identified as being in the "Internet" security zone and, thus, no automatic logon is occurring.

You can add that site to the "Local Intranet" zone through the "Advanced" settings on the "Local Intranet" zone from the "Security" tab in "Internet Options", or you can modify the setting re: automatic logon in the "Internet" zone settings.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Is there a way to add companyName.co.uk to the domain server (rather than updating all potential client machines)? – Andrew Bickerton Oct 28 '09 at 00:08
  • You can either write a script to add this entry to each client's registry, you can use "Internet Explorer Maintenance" policy, or you can use the "Site to Zone Assignment" Administrative Template policy (located in Windows Components / Internet Explorer / Internet Control Panel / Security Page in both computer and user settings) to affect the desired change. I believe that the last method is the currently encouraged (by Microsoft) method for making such a change. – Evan Anderson Oct 28 '09 at 13:22