I have found a reproducible bug in IE8 - it may be present in earlier
versions, but I have only tested it in 8.
I created a web application using Visual Studio and I set the web.config to
require Windows Authentication and Url Authorization. The Authorization is
set to only allow access to the role "Domain Admins". I created a new site in
IIS and configured the binding for the site to simply be http://servername
After publishing the site, I went back into IIS, enabled Windows
Authentication and disabled Anonymous access. (IIS7 by the way)
I logged into a client machine with a user account that is a member of the
Domain Admins group. I successfully accessed the site with FireFox. I
launched IE8, checked that http://servername
was listed as a site in the
Intranet Security Zone, restarted IE, and tried to access the site. I was
given 3 popup attempts to enter my credentials, and was eventually given a
The only solution I was able to find was to go back into IIS and change the
binding to http://example.domain.local
. With this binding, IE passes my
credentials straight through automatically as the security settings allow.
My conclusion is that there is a bug in IE that requires servers in the
Intranet Zone to use a FQDN as a binding instead of the shorthand servername.
I ask that someone with access to the Technical group working on the next
version of IE pass along this information to the team. Thank you for your
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.