Understanding Internet Explorer security zones

For users to be authenticated silently when they use Internet Explorer to access an application on the Web server with Kerberos or NTLM authentication, two conditions must be met:

  1. Internet Explorer must have integrated Windows authentication enable - see the instructions below.
  2. The Web server must be in the local intranet Internet Explorer security zone or explicitly configured as part of the local intranet security zone.

    For Internet Explorer, a server is recognized as part of the local intranet security zone in one of two ways:

    • When the user specifies a URL that is not a fully qualified DNS domain name. For example, if you access an application with a URL such as http://admin-server/index.html, Internet Explorer interprets this as a site in the local intranet security zone.
    • When the user specifies a URL with fully qualified name that has been explicitly configured as a local intranet site in Internet Explorer (see instructions below). For example, if you access an application with a URL such as http://admin-server.mycompany.com/index.html, Internet Explorer interprets this as a site that is not part of the local intranet unless the site has been manually added to the local intranet security zone.

    Depending on whether users log on to Web applications using a local intranet URL or a fully-qualified path in the URL, silent authentication may require modifying the local intranet security zone in Internet Explorer.