: You didn't mention it anywhere, but you are using IE, along with NTLM SSO. IE only engages in automatic NTLM handshakes with sites that it deems to be in the Intranet Zone. Otherwise it
You didn't mention it anywhere, but you are using IE, along with NTLM SSO. IE only engages in automatic NTLM handshakes with sites that it deems to be in the Intranet Zone. Otherwise it will throw the popup prompt to explicitly ask for credentials. (Even in the Trusted Zone)
So the question is, how does it know a site is in the intranet? Well, first, if you use a short name like in your first example (no dots), it assumes it is in the intranet and it can be resolved using the DNS suffix search list. It will also look-up the explicitly added list of sites in various Zones at the Local Machine and User levels. There are further heuristics that it uses to detect the intranet, based on proxy configuration etc. if you have "Automatically Detect Intranet" option checked. But in your case I am surprised that your default corp AD domain wasn't already added to the Intranet Zone. If this is the case then using the FQDN of your host WEBSERVER.internaldomain.com would also have resulted in the prompt. Not anymore though, since you already added *.internaldomain.com to the Intranet Zone.
It doesn't have anything to do with the resolved IP, this all happens before the DNS resolver. In fact, I think IE considers all IPs to be non-intranet unless otherwise specified. I mean if you were to use the IP in the URL, it would prompt.
Also note that Firefox doesn't do any such automatic intranet detection. It just relies on an explicit list of sites that you specify manually in network.negotiate-auth.trusted-uris. It will only trust those for automatic NTLM SSO. You would need to use a customized user.js or Mozilla.cfg file to achieve the same results as you got with a GPO for IE.
More posts by @Hamm4606531
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.