In Internet Explorer 7, Tools, Internet Options, Advanced tab. The checkbox for “enable integrated windows authentication” is very confusing. You would think this means “just log me in with my windows credentials”, but no, there’s more to it than that. And what I found was, it simply enables “Negotiate”. It set’s this registry key to 1:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate
After some research, this actually means that IE will negotiate between NTLM or Kerberos authentication. In some situations, Kerberos will fail. I don’t understand well enough to explain this one. But that’s ok, because the point of all this is… I want IE to authenticate automatically on my Intranet! Anyway, if you uncheck this setting in IE, it will set Negotiate to disabled. (0) If Negotiate is disabled, IE will use NTLM by default. BAM! I can login automatically.
Wouldn’t it be much more helpful if Microsoft had labeled that for what it was? Like: Negotiate Kerberos or NTLM Authentication.
Word of caution… some Intranet apps might depend on Kerberos, so this might cause more problems down the road of you disable this on all your client systems.
Another note… IE6, as I understand it, does not behave this way. It has a similar setting to enable windows authentication and I believe it uses NTLM by default. I HAVE NOT TESTED THIS, and I don’t know for sure if this is true, but according to my Googling, this is the case.
I found this site with info regarding EnableNegotiate:
http://ie7triage.spaces.live.com/blog/cns!3B6634EF5458F389!422.entry
Â
Here’s another blog you might find useful:
http://blog.super-networking.net/systems/internet-explorer-enable-integrated-windows-authentication/
Â
Â
Â