NTLM Authentication for websites is a great addition to the bat-belt when writing ASP.Net sites. Additionally it is also a great to have support for it in Team Foundation & SharePoint portals. However as great as having support for NTLM authentication may be, having to enter & re-enter your credentials when surfing Intranet or Extranet sites can be an annoyance that is just not worth it.
Anyone who has used SharePoint or TFS portal on a properly setup network will attest that simply being able to visit the site for it to authenticate you is a massive finishing touch. This same nicety applies the same to a custom built ASP.Net extranet simply “knowing” who you are. As Steve Jobs would put it;
“… It just works …”
And although i don’t always see eye to eye with Monsieur Jobs – i agree with him on this. Automatic sign-in is how you want your sites to run.
So why doesn’t this work straight out the box?
This has a little bit to do with security on the web at large – or more the fact that everyone, be they American Phanphobic Citizens or not, lives their life on the web in fear.
Internet Explorer not having a history of being the tightest browser of all, security wise, runs out of the box with no Trusted Sites. Therefore by default it won’t automatically hand out your login token to just any site. FireFox is pretty much the same in it’s assumption that there is more nasties than goodies out there.
A lot of people don’t even know that FireFox can support NTLM – but it does, just not by default.
What we need to do to remedy these two browsers’ situation, is to add the sites you want to be automatically logged into, to their list of Trusted sites, and you can do this one of two ways.
Internet Explorer Local Machine Trusted Sites Setup
So you may not have a domain, with an Active Directory Server to do your bidding. Don’t worry though, as this is just as easy to setup on your local machine. If you’re on a domain, you’ll need to complete the following on your active directory server before skipping to the next section anyway.
- Open IE on your local computer and open TOOLS > INTERNET OPTIONS, then choose the Security tab up the top.
- Click on the ‘Local Intranet’ icon, and then click the Sites button to open the list of Trusted Sites for the Intranet zone.
- If you’re in IE 6-7 This will simply open the list, If you’re in IE 8 it will show the window below. Click Advanced.
- If your site ASP.Net, SharePoint or TFS site is not on an HTTPS connection (I'm assuming it isn’t) un-tick the box marked “Require secure connection”, and then enter your site’s address in the box. Then click Add. Do this for every site you want to have automatic sign-on for and then click close
- Now back at the main settings screen, make sure the intranet zone is still selected and click the custom level button. On the next screen scroll right to the bottom and make sure that under User Authentication > Logon, that the option Automatic Logon, only in Intranet Zone is selected.
- Close by clicking OK, and you’re done!
Internet Explorer Domain Group Policy Trusted Sites Setup
If you’re on a domain, and want to allow all your users to have automatic sign-on, Group Policy is your friend. If you don’t you’re already done.
- Login to your Active Directory Domain Controller, using a domain admin account, and perform the steps listed above to setup the local Internet Explorer settings on the server. You will want to repeat the following for two separate policies. One with Enhanced Security Configuration turned on, and one with it turned off, so that you can support workstations with both configuration.
- To turn off Internet Explorer Enhanced Security Configuration on a Windows 2008 server do the following. Open up Server manager, scroll down to Security Configuration and click the link that says Configure IE ESC
- Turn it off for Administrators and close the window
- Open up Group Policy Management
- Right-click your domain name (or whichever OU contains the users you wish to apply this to), and create a new Policy by clicking “Create a GPO in this domain, and link it here”. Give your new policy a name (preferably better than mine)
- Right click on your newly created policy and select Edit
- Open down to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security > Security Zones and Content Ratings
- Select “Import the current security zones and privacy settings”
- When you select this option you will probably receive a warning about ‘Internet Explorer Enhanced Security Configuration’.
This is why we disabled the enhanced configuration in step 3, so that this policy will apply to workstations without Enhanced security turned on. Click Continue. - Close all open windows.
The changes will take time to replicate through your AD topology, depending on your setup. You may see the changes take effect within 15 mins to an hour. If you have a Multi-site AD setup it may take a day or two.
FireFox – Turning NTLM On & Adding Trusted Sites
The first step to getting your FireFox Setup working with automatic sign-on is to turn NTLM on. As i said earlier, a lot of people don’t appear to even know this is possible.
- Open FireFox and type about:config in the address bar. Click I’ll be careful, I promise! to the warning and you’ll open the FireFox advanced configuration page.
- Search for ntlm by typing it into the filter box.
- Select the option network.ntlm.send-lm-response and double click it to toggle it to on
- Next double click the item marked network.automatic-ntlm-auth.trusted-uris in the next box enter each URL of your sites seperated by a comma – click OK
- Close the tab and you’re done!
FireFox Domain Group Policy Trusted Sites Setup
Firefox is Mozilla’s beast, and therefore what they say and do goes in the world of FireFox. Sadly this means that there is no clear cut way to setup group policy’s for FireFox.
There is however a methods to Make it happen and it is to use Wet Dog Active Directory Tools from the following URL:
http://wetdog.sourceforge.net/
Details for using it are sadly for another blog post though. If i led you on I'm sorry – but the post is coming soon.