What does "Automatic logon only in the Intranet zone" mean?

Each security zone has a "User Authentication" setting for its content that is one of

   Value    Setting
   ---------------------------------------------------------------
   0x00000000 Automatically logon with current username and password
   0x00010000 Prompt for user name and password
   0x00020000 Automatic logon only in the Intranet zone
   0x00030000 Anonymous logon
Eric Law's article in IEInternals entitles "The Intranet Zone" explains very well how content is identified as belonging to the Intranet zone and whether the Intranet zone is enabled at all. However, the setting "Automatic logon only in the Intranet zone" exists in all three zones - Trusted Sites, Internet, and Intranet. 

Presumably, a URL is identified as belonging to one of the zones, then the security settings are applied to that zone. But then that means the setting is specific to the zone. The implication of this is that the setting "Automatic logon only in the Intranet zone" is no longer talking about the content or URL, but rather some aspect of the browser's state (e.g. what network it is using to reach the content or whether the domain can be contacted).

Let's say we are currently connecting to a site that is identified as part of the Trusted Sites zone, and we get a WWW-Authenticate challenge. Now we need to look at the security settings for the Trusted Sites zone. If it says "Automatic logon in the Intranet Zone", what does that mean?

So I gather from this that either "Automatic logon only in the Intranet zone" means 

  1. "in this content zone if you're not the Intranet zone, don't use automatic logon"
  2. "if you're connecting from the Intranet, use Automatic logon"

Which is it?

If it is (1), why does the option exist at all? Presumably we could have just option 0, 1, and 3 and it would mean the exact same thing.

If it is (2), precisely what rules does IE use to determine it is connecting "from the Intranet". Specifically, does it use Network Location Awareness?

March 16th, 2015 10:08pm

You must know the different between internet and intranet right?

I think this link will explain that

https://technet.microsoft.com/en-us/library/dd572939(v=office.13).aspx

If you have implemented Integrated Windows authentication, internal users (that is, users located behind your organizations firewall) can log on to Communicator Web Access without having to provide a user name and password. In this case, Communicator Web Access authenticates the user by using the credentials supplied when the user first logged on to his or her computer.

For this type of authentication to take place, the following two things must be true: the user must be running a browser that supports Kerberos and/or NTLM authentication; and, that browser must be configured to allow for automatic logon to a Communicator Web Access site. You can configure Internet Explorer for automatic logon by completing the following procedure on each client computer

I think the main idea of Automatic logon only in the Intranet zone, internal user don't need to key in again user name and password to go to intranet site or content which maybe restricted for another user inside or outside the organization

Free Windows Admin Tool Kit Click here and download it now
March 16th, 2015 10:42pm

You must know the different between internet and intranet right?

I think this link will explain that

https://technet.microsoft.com/en-us/library/dd572939(v=office.13).aspx

If you have implemented Integrated Windows authentication, internal users (that is, users located behind your organizations firewall) can log on to Communicator Web Access without having to provide a user name and password. In this case, Communicator Web Access authenticates the user by using the credentials supplied when the user first logged on to his or her computer.

For this type of authentication to take place, the following two things must be true: the user must be running a browser that supports Kerberos and/or NTLM authentication; and, that browser must be configured to allow for automatic logon to a Communicator Web Access site. You can configure Internet Explorer for automatic logon by completing the following procedure on each client computer

I think the main idea of Automatic logon only in the Intranet zone, internal user don't need to key in again user name and password to go to intranet site or content which maybe restricted for another user inside or outside the organization

  • Edited by britishdhez Tuesday, March 17, 2015 2:40 AM
March 17th, 2015 2:40am

You must know the different between internet and intranet right?

I think this link will explain that

https://technet.microsoft.com/en-us/library/dd572939(v=office.13).aspx

If you have implemented Integrated Windows authentication, internal users (that is, users located behind your organizations firewall) can log on to Communicator Web Access without having to provide a user name and password. In this case, Communicator Web Access authenticates the user by using the credentials supplied when the user first logged on to his or her computer.

For this type of authentication to take place, the following two things must be true: the user must be running a browser that supports Kerberos and/or NTLM authentication; and, that browser must be configured to allow for automatic logon to a Communicator Web Access site. You can configure Internet Explorer for automatic logon by completing the following procedure on each client computer

I think the main idea of Automatic logon only in the Intranet zone, internal user don't need to key in again user name and password to go to intranet site or content which maybe restricted for another user inside or outside the organization

  • Edited by britishdhez Tuesday, March 17, 2015 2:40 AM
Free Windows Admin Tool Kit Click here and download it now
March 17th, 2015 2:40am

You must know the different between internet and intranet right?

I think this link will explain that

https://technet.microsoft.com/en-us/library/dd572939(v=office.13).aspx

If you have implemented Integrated Windows authentication, internal users (that is, users located behind your organizations firewall) can log on to Communicator Web Access without having to provide a user name and password. In this case, Communicator Web Access authenticates the user by using the credentials supplied when the user first logged on to his or her computer.

For this type of authentication to take place, the following two things must be true: the user must be running a browser that supports Kerberos and/or NTLM authentication; and, that browser must be configured to allow for automatic logon to a Communicator Web Access site. You can configure Internet Explorer for automatic logon by completing the following procedure on each client computer

I think the main idea of Automatic logon only in the Intranet zone, internal user don't need to key in again user name and password to go to intranet site or content which maybe restricted for another user inside or outside the organization

March 17th, 2015 2:40am

You must know the different between internet and intranet right?

I think this link will explain that

https://technet.microsoft.com/en-us/library/dd572939(v=office.13).aspx

If you have implemented Integrated Windows authentication, internal users (that is, users located behind your organizations firewall) can log on to Communicator Web Access without having to provide a user name and password. In this case, Communicator Web Access authenticates the user by using the credentials supplied when the user first logged on to his or her computer.

For this type of authentication to take place, the following two things must be true: the user must be running a browser that supports Kerberos and/or NTLM authentication; and, that browser must be configured to allow for automatic logon to a Communicator Web Access site. You can configure Internet Explorer for automatic logon by completing the following procedure on each client computer

I think the main idea of Automatic logon only in the Intranet zone, internal user don't need to key in again user name and password to go to intranet site or content which maybe restricted for another user inside or outside the organization

Free Windows Admin Tool Kit Click here and download it now
March 17th, 2015 2:40am

You must know the different between internet and intranet right?

I think this link will explain that

https://technet.microsoft.com/en-us/library/dd572939(v=office.13).aspx

If you have implemented Integrated Windows authentication, internal users (that is, users located behind your organizations firewall) can log on to Communicator Web Access without having to provide a user name and password. In this case, Communicator Web Access authenticates the user by using the credentials supplied when the user first logged on to his or her computer.

For this type of authentication to take place, the following two things must be true: the user must be running a browser that supports Kerberos and/or NTLM authentication; and, that browser must be configured to allow for automatic logon to a Communicator Web Access site. You can configure Internet Explorer for automatic logon by completing the following procedure on each client computer

I think the main idea of Automatic logon only in the Intranet zone, internal user don't need to key in again user name and password to go to intranet site or content which maybe restricted for another user inside or outside the organization

March 17th, 2015 2:40am

Hi Ryan,

Here is a link for reference of the automatically authenticate .Though the content is a little old ,the theory in this link should be useful to help understand the question .
Internet Explorer May Prompt You for a Password
https://support.microsoft.com/en-us/kb/258063

"Internet Explorer must consider the requested URL to be on the intranet (local). If the computer name portion of the requested URL contains periods (such as http://www.microsoft.com and http://10.0.0.1), Internet Explorer assumes that the requested address exists on the Internet and does not pass any credentials automatically. Addresses without periods (such as http://webserver) are considered to be on the intranet (local); Internet Explorer passes credentials automatically. The only exception is addresses included in the Intranet zone in Internet Explorer."

According to this sentence "The only exception is addresses included in the Intranet zone in Internet Explorer",it indicates that the intranet address will be handled as the usual address in that zone unless it has been added into the Intranet Zone .So this option is necessary for the other zones. In other words ,a intranet address can be added into the Trusted Zone ,Internet Zone.

Best r

Free Windows Admin Tool Kit Click here and download it now
March 18th, 2015 2:30am

Thanks for this response. I'm sorry I didn't follow up sooner.

What I imagine happens for this processing is two steps:

  1. What security zone are we in?
  2. For the security zone we are in, what type of user authentication do we allow?

Say the answer to (1) is "Intranet Zone" (so the server is in the Intranet Zone).

For Step (2) What would be the difference between setting 0x00020000 and 0x00000000 ?

What my assumption is that 0x00020000 only makes sense as a setting if "only in the Intranet zone" refers to the client's location, not the server's location. So I'm reading "Automatic logon only in the Intranet zone" as "only send my credentials if I'm connecting from a safe place (i.e., the Intranet)".

Imagine a different example. We could set the Intranet Zone setting for user authentication to "Anonymous logon", yet set the other zones to "Automatic logon only in the Intranet zone". What would that mean? It just doesn't make any sense.

So my question is, and remains, how does IE determine if I'm in the Intranet Zone (for step 2)?

August 12th, 2015 3:21pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics