IE7 on Windows Server 2003

By Michael Flanakin @ 6:08 AM :: 3035 Views :: Architecture :: Digg it!

Single sign-on (SSO)

I've been working on a single sign-on (SSO) solution for a client for a while and I've run into an issue with IE7 on Windows Server 2003. To get SSO to work, there are a number of issues you need to be aware of -- I'll probably write a post on that later. In my experience, the root of all SSO issues is either Kerberos delegation or DNS configuration. Unfortunately, due to the default configuration of IE7 on Windows Server 2003, the browser won't send a Kerberos ticket to the web server. Obviously, SSO won't work without this. If you're an admin, you can go into IE options and toggle a few settings to get this to work, but when you're using test users without admin rights, you can't.The problem is that the default configuation does not accurately determine if the website you're browsing to is in the local intranet zone.The following registry changes will fix the issue.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

I'll go into this in more detail when I write the post I mentioned. To apply the change, you can either do it manually or save the above to a file ending in .reg and then double-click that to update the registry.