Internet Explorer, Apache and Integrated Windows Authentication

Posted on 2011-05-05
Last Modified: 2012-05-11
Hi there,

I am having a Windows 2008 R2 computer named testcomputer with Apache webserver installed. The computer belongs to domain test.

I log on to testcomputer as test\user1 and start Internet Explorer 8. I try to connect to the local website http://testcomputer. Since this is an intranet site, IE tries to connect me as current user, but this fails with "Internet Explorer cannot display the webpage". If I change the IE security options to "Prompt for user name and password", and do another try, IE prompts me for the name and password. I enter the SAME information of the already logged on user, and I see the website without any error message.

Now I log on to another computer, i. e. testcomputer1, as test\user1, and try to access the website http://testcomputer. I see the website without any other interaction or error message.

Question: Why doesn´t the integrated authentification work if I am logged on on the same computer as the webserver runs? Thank you very much!
Question by:ITWolf
    LVL 28

    Expert Comment

    Since WIndows Server 2003, per default, the IE runs in a mode called "Enhanced Security Configuration".
    Either add the local site to the Trusted Sites in IE or disable this function copmpletely:
    In Server Manager-> Security Information-> Enhanced Security Configuration for IE

    Author Comment

    Dear mpfister,

    Thank you for your comment. ESC has already been disabled for users and admistrators on all involved machines.

    LVL 29

    Expert Comment

    You still have to:

    1. Make sure that Inegrated Auth is enabled in IE, many case it is not,..and that has nothing to with ESC, is just something else that you have to look for in addition to ESC.

    2. You have to also add the FQDN of the Site to the Intranet Zone in IE,...unless you use the Netbios Name (no "dots") of the machine in the Address Bar of the browser which causes it to automatically be assumed by IE to be in the Intranet Zone

    Author Comment

    Dear pwindell,

    Thanks for your comment. testcomputer and testcomputer1 have exact the same configuration, Integrated Windows Authentication is on, and the sites with their FQDN are manually added to the intranet zone. I am using the FQDNs for access to the websites, i.e. http://testcomputer.testdomain.local, since I need this for IE to get the right SPN from the Kerberos KDC.

    I did some investigation with the Kerberos debugging tools and there is absolutely no Kerberos communication when accessing the local website on testcomputer. It seems that IE uses only NTLM when connecting to the local website, but don´t know if this behaviour is "by design".

    Accepted Solution

    I´ve found this on an excellent Kerberos debugging blog article at

    Kerberos is not enabled in this configuration and a hard coded loopback check will always force usage of NTLM in this scenario. Note that NTLM may also not work in this configuration (see for more details).

    So my described behaviour is by design and cannot be changed.
    LVL 29

    Expert Comment

    When you add sites to the Intranet Zone do it like this exactly  *.testdomain.local
    Do not put any http:// or https:// in front of it and do not put any "www" or any sub domains in place of the star.  Do it just like I showed

    Yes. It will use NTLM,...NTLM is fine,...that is what everyone is using for this and have been for years and years and nothing ever "evil" has happened because NTLM was in use..

    Author Closing Comment

    After doing a lot of research, I found a blog article describing the behaviour as by design.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now