Internet Explorer, Apache and Integrated Windows Authentication

Hi there,

I am having a Windows 2008 R2 computer named testcomputer with Apache webserver installed. The computer belongs to domain test.

I log on to testcomputer as test\user1 and start Internet Explorer 8. I try to connect to the local website http://testcomputer. Since this is an intranet site, IE tries to connect me as current user, but this fails with "Internet Explorer cannot display the webpage". If I change the IE security options to "Prompt for user name and password", and do another try, IE prompts me for the name and password. I enter the SAME information of the already logged on user, and I see the website without any error message.

Now I log on to another computer, i. e. testcomputer1, as test\user1, and try to access the website http://testcomputer. I see the website without any other interaction or error message.

Question: Why doesn´t the integrated authentification work if I am logged on on the same computer as the webserver runs? Thank you very much!
Who is Participating?
ITWolfAuthor Commented:
I´ve found this on an excellent Kerberos debugging blog article at

Kerberos is not enabled in this configuration and a hard coded loopback check will always force usage of NTLM in this scenario. Note that NTLM may also not work in this configuration (see for more details).

So my described behaviour is by design and cannot be changed.
Michael PfisterCommented:
Since WIndows Server 2003, per default, the IE runs in a mode called "Enhanced Security Configuration".
Either add the local site to the Trusted Sites in IE or disable this function copmpletely:
In Server Manager-> Security Information-> Enhanced Security Configuration for IE
ITWolfAuthor Commented:
Dear mpfister,

Thank you for your comment. ESC has already been disabled for users and admistrators on all involved machines.

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

You still have to:

1. Make sure that Inegrated Auth is enabled in IE, many case it is not,..and that has nothing to with ESC, is just something else that you have to look for in addition to ESC.

2. You have to also add the FQDN of the Site to the Intranet Zone in IE,...unless you use the Netbios Name (no "dots") of the machine in the Address Bar of the browser which causes it to automatically be assumed by IE to be in the Intranet Zone
ITWolfAuthor Commented:
Dear pwindell,

Thanks for your comment. testcomputer and testcomputer1 have exact the same configuration, Integrated Windows Authentication is on, and the sites with their FQDN are manually added to the intranet zone. I am using the FQDNs for access to the websites, i.e. http://testcomputer.testdomain.local, since I need this for IE to get the right SPN from the Kerberos KDC.

I did some investigation with the Kerberos debugging tools and there is absolutely no Kerberos communication when accessing the local website on testcomputer. It seems that IE uses only NTLM when connecting to the local website, but don´t know if this behaviour is "by design".
When you add sites to the Intranet Zone do it like this exactly  *.testdomain.local
Do not put any http:// or https:// in front of it and do not put any "www" or any sub domains in place of the star.  Do it just like I showed

Yes. It will use NTLM,...NTLM is fine,...that is what everyone is using for this and have been for years and years and nothing ever "evil" has happened because NTLM was in use..
ITWolfAuthor Commented:
After doing a lot of research, I found a blog article describing the behaviour as by design.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.