views:

433

answers:

1

Thought I will try my luck here. Have tried virtually every solution I could find out there including previous related questions in SO. I am at my wits end.

For our Intranet site, our German users always get a security prompt. For all others, it works fine. The IE settings are same for everyone.

Any good solution pointing me in the right direction to disable the prompt will be welcome.

+2  A: 

Assuming that your intranet sites are properly setup for single-sign-on with Kerberos, your issue may be any of two or more things:

  1. The 'Enable Integrated Windows Authentication' setting is disabled for your German users.
  2. The domain where your German users authenticate and log on to windows is not trusted by the domain where the servers are controlled.

To fix or check on #1, in Internet Explorer (for a German User), go to the Tools menu and select Internet Options. Then, on the Advanced tab, scroll all the way down to 'Security' and make sure 'Enable Integrated Windows Authentication' is checked. Restart Internet Explorer and try again.

To fix or check on #2, you will need an Domain Administrator to setup domain trust in Active Directory. Unfortunately I don't know all the steps on how to do this, but you could try asking your question in ServerFault and see if anyone can help you there.

In addition to these culprits, other possible issues are deeply rooted in how your domains have been setup. Try downloading and installing Kerbtray.exe on a German user's computer and examining the tickets available after a connection attempt to your intranet server.

Kerbtray Download (Microsoft)

You should, at minimum, see the following three tickets:

krbtgt/«domain name» HOST/«user's machinename» HTTP/«app server name»

If the HTTP ticket is missing, then the issue is their ability to be trusted in the domain (even if on the same domain) as the app server.

If the HOST ticket or krbtgt tickets are missing, check for clock drift and account setting flags in active directory related to keberos (Account is Sensitive and not trusted for Delegation, etc.)

Good Luck :)

meklarian