We help IT Professionals succeed at work.

Enabling Intergrated Windows Authentication via policy

Hystorm
Hystorm asked
on
Greetings,
I am ripping out the last of my hair on this.
I have a single forest/site domain.
I need to be able to enable IWA for all users.
I have a test OU setup and I have the policy working perfectly there.
When I link that policy to our IT OU, the check box located in IE, under the Advanced tab will not stick.
Also, I have found two locations for this one setting.
There is this path: Administrative Templates / Custom Policies (Under User configs)
This is a classic administrative template (ADM).

Also, there is the setting that can be configured via creating an IE8 entry found under Users Config/preferences/control panel settings/Internet Settings.
Here you can either do a new and create an entry for IE 5-8.
This screen looks the same as the options screen in IE. Here I would open the Advanced Tab and scroll to the bottom and place a check in: Enable Intergrated Windows Auth.

HOWEVER....I have yet to get this bloody policy working in the IT OU even though its linked to the Test OU where it is working.
I have looked though all the other policies located within the IT OU (by the way, this OU is set to Block Inheritance from all the parent policies and only runs the few within the OU) and cannot find any conflicting issues or settings.
I even ran a GPRESULT on my account in the IT OU with the check box missing, and right there in the results of the GPO pull, is the setting for IWA. Its enabled and the policy states it WON. (I know that means that policy is the one the domain used over another).
So, i have a log result that states the policy loaded succesfully, yet I open IE and browse to that Tab and the Check is not there!

Any ideas on this?
I do have both policies in two diff scripts that I can disable or enable. The worst part is yesterday it was working and today....nothing.

Please advise.

Comment
Watch Question

Bradley FoxLAN/WAN Systems Administrator
CERTIFIED EXPERT

Commented:
Check for a GPO that is set to enforced linked to one of the parent containers for the IT OU.
Commented:
Turns out...it was this setting hidden in a logon script:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"EnableNegotiate"=dword:00000000

I set it to dword:00000001 and it fired right up.

Thanks much.



Author

Commented:
nt

Explore More ContentExplore courses, solutions, and other research materials related to this topic.