Please let me disclaim that there are other posts out there with the same information as I’m about to present, but I’ve had to find this multiple times now and it’s always been a struggle to find. If of no use to anyone else, this is for my own selfish ease of access.
- You operate a web server or other services (such as Exchange Client Access Role, Sharepoint [yuk!], etc.)
- To access the website or service (herein referred to as a service) the user needs to be authenticated with their Windows [Active Directory Domain] credentials
- The web server has the required “features” installed, the authentication Windows Authentication method has been enabled and Anonymous Authentication method disabled via Internet Information Systems (IIS) on either the server, site, folder or file level
- The expectation is the user browses to https://system.sysadminspot.com/ which accepts this method of authentication
- The user is prompted to enter their Windows authentication credentials – that is, they are NOT detected and automatically logged in, but they must type their credentials into the prompt.
The last line in bold is what I will be addressing in this post.
Firstly, regardless of the browser you are using (Internet Explorer, Google Chrome or Firefox) there are default security settings in place to prohibit the automatic “single sign-on” or NTML authentication via the browser. Most browsers insist you enable this at the browser level and/or define a trusted list of hostnames where this is permitted.
Internet Explorer (IE)
IE gets it’s settings from the operating system “Internet Settings”. Typically accessed via the Tools > Internet Options from within the browser or Control Panel > Internet Options.
Websites are broken down into zones – internet, local intranet, trusted sites and restricted sites. By default, the local intranet zone has the User Authentication > Logon > Automatic logon only in Intranet zone (accessible via custom settings).
This means that unless IE detects you’re browsing a website within your own network with a local IP address – automatic login will not work and the user will be prompted to type in their credentials.
Generally speaking, this is a good settings. But in some cases, organisations have complex setups which will not fall into this category. What needs to be realised however is this is the default behaviour.
Don’t worry, it is changeable – however I caution you that you do it properly – such as via a group policy change, etc to avoid user confusion (i.e. works on one computer but not another).
My recommendation is to add services that are outside of the local intranet to the trusted sites zone sites list. Then hit custom level, scroll right to the bottom and change User Authentication > Logon > Automatic logon with current user name and password.
A Point of Order
A gentle reminder that if the user attempts to access a new service that is NOT listed in local intranet or trusted sites – then they are obviously going to be prompted to enter their credentials! This includes going to https://system/ instead of https://system.sysadminspot.com/ – they are different hostnames. If you need both to work – add both!
You must keep the list of permitted sites up to date or make this setting on the internet zone (not recommended).
You’ll note this blog post is actually about Google Chrome and not Internet Explorer. So why have I gone into so much detail about IE?
Google Chrome actually utilises the same settings that IE uses – that is the Control Panel > Internet Options settings as discussed in the Internet Explorer section above.
Thank you KaPes (last post on the page) for your helpful forum post on the Google product forums.
I really can’t do a better job on describing how to do this in Firefox than some of the other brilliant posts out there. I’ve linked to a few I found accurate and likely to be useful to you.
- 2 Reasons Why I Am rolling Back From Windows 8.1 to Windows 7
- Error message “The file is either corrupted or does not have the latest credentials associated with recovery service. (ID: 34513) “
- ISAPI Filter ‘C:\Windows\Microsoft.NET\Framework\v4.0.30319\\aspnet_filter.dll’ could not be loaded due to a configuration problem
- Restoring broken Windows 2012 R2 Hyper-V directory permissions
- Windows sidebar.exe Memory Leak
- What application pool is using all that CPU?
- Single process is slowing down internet connection – solved with quality of service (QoS)
- How to Stop sidebar.exe Using Lots of Memory (Edited 14 May 2011)
14 Responses to Google Chrome and NTLM Auto Login Using Windows Authentication