Fog Creek Software
Discussion Board

Specifying IE Settings from Group Policy

Hi all,

I have a web application that supports Integrated Windows Authentication.

In IE6 on Windows XP the tick box on the advanced tab of IE Options called "Enable Integrated Windows Authentication" is ticked on by default.

In Windows 2000 this tick box is off by default. Now one of our customers had an issue with the single sign on mechanism of our application that we now know to be caused by this tick box being unticked.

We have informed them that turning this tickbox on will resolve the problem they are having BUT I am predicting that it is only a matter of hours before we get a call exclaiming that they can't be expected to go around to 12,000 PCs and turn this option on and that we will need to find a different resolution.

So my question to you all here is - is it possible to specify this setting using group policy? I have been fiddling with the GP on our domain and I can disable the "Advanced" tab completely and I can do mean things like disable the media player activex control. but I can't find an option to actually specify the Advanced settings (this tick box in particular) from the policy.


Chris Ormerod
Sunday, February 1, 2004

I would take another approach to this. When the application starts, I would *check* the setting of that option to make sure it was on. If it was off, I would tell the user it was off. If I could legitimately and securely turn it on, I would offer to turn it on for the user. If I couldn't, I would instruct the user in how to turn it on. I would NOT turn it on automatically, because it requires a reboot before it works.

This setting is described in HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Internet Explorer/AdvancedOptions/CRYPTO/NEGOTIATE/ and apparently can be enabled by writing a key called ValueName with a value of CheckedValue to the registry path specified in RegPath. I assume that if you check RegPath and do not find ValueName, the setting is currently DefaultValue.

I don't feel like rebooting repeatedly to play with this, so I'll let you do that if you like.

Caliban Tiresias Darklock
Sunday, February 1, 2004

Well it isn't an application, it is a web application and I doubt we can set that setting from a JavaScript? :)

(You also don't need to restart the machine, just IE)

But we fixed it now anyway by adding NTLM support to the server side of the application (we had it just to reject anything that wasn't "Negotiate" but found it wasn't too hard to add NTLM support.)

It also works with Win 98 and 95 now aswell which is a bonus - although not really needed.

Chris Ormerod
Monday, February 2, 2004

Sorry, I think I misread what you had written, did you mean to return a webpage with instructions on how to set the setting on to the user?

If so that might have worked (except for Win98 as we discovered) - but we were automatically falling back to a manual login page when the integrated login failed.

Chris Ormerod
Monday, February 2, 2004

I always get cagey about "web application" because the "web" part and the "application" part could be pretty much anywhere. I write a lot of stuff that essentially tosses information back and forth over the web, but it's still a standard client application. I also write a lot of stuff that comes together as an application, but it's fundamentally just a bunch of web pages. Depending on your personal opinions, either or both could be considered a web application.

To answer your question, yeah, a web page would work if you couldn't set it from your app. I always start having weird ideas like writing ActiveX controls to set it, but that's generally more trouble than it's worth. ;)

Caliban Tiresias Darklock
Monday, February 2, 2004

*  Recent Topics

*  Fog Creek Home