Time wasted today?  ~2-3 hours.  When I was in Japan last month I ran across the problem of accessing a SharePoint site which was on a different domain than where my browser was running from.  At the time I simply changed over to SSL and accessed the site with no problem.  However, today while creating a testing site for WSS 3.0 I brought the server up on a different domain within KnowledgeLake, I ran into the problem again.

Let me explain.  Windows Vista comes with IE7 and the "Enable Integrated Windows Setting" is on by default in all zones.  This seems to work wonderfully when accessing sites within the domain my laptop is running on, however when trying to access this new server I brought up today, on a different domain, IE refused to let me in.  I tried every possible combination of the domain name to no avail.  Remembering my trip to Japan, SSL was not an option on this test server, but then I remembered that Firefox worked when I was over there too.  I tried it again and what do you know!  I got in with no problems.

Scratching my head I dug through IE settings, even set my server to be a trusted site with "Low" as my security setting.  No luck.  Going through the advanced tab the only setting I saw that was related was "Enable Integrated Windows Authentication"... but that was already checked.  No luck... or so I thought.

Making Google servers cry I tried ever search combination I could think of with no luck.  Figured this was a cross domain issue, but those answers seemed only point towards XMLHttpRequest (AJAX) usage.  Plus everyone said Firefox was more picky than IE, so that couldn't have been the right track.

Going back through the settings in IE, I figured I'd start trying what didn't make sense.  First thing I did was disable "Enable Integrated Windows Authentication", and luckily that seemed to resolve the issue.  WHAT!?!?  That makes no sense.  I tried looking at IE Help in Vista and that was totally worthless, which brings up another subject.  Does Microsoft have any useful information in help files?  Anyway, back to Google.  So what does Microsoft say about this setting?  From TechNet:

With Integrated Windows authentication (formerly called NTLM, and also known as Windows NT Challenge/Response authentication), the user name and password (credentials) are hashed before being sent across the network. When you enable Integrated Windows authentication, the client browser proves its knowledge of the password through a cryptographic exchange with your Web server, involving hashing.

Also:

Integrated Windows authentication uses Kerberos v5 authentication and NTLM authentication. Kerberos is an industry-standard authentication protocol that is used to verify user or host identity. If Active Directory is installed on a domain controller running Windows 2000 Server or Windows Server 2003, and the client browser supports the Kerberos v5 authentication protocol, Kerberos v5 authentication is used; otherwise, NTLM authentication is used.

I'm not using Kerberos on this server so that leaves me with NTLM.  I'm not a security genius, but it sure seem to me that checking that box should give me the right behavior, correct?  At least it used to be this way in previous versions of IE.  So after an hour or so of Google, I found one person that said to uncheck the box, but no explanation.  If you can explain this to me, please drop me a comment.

Good night,

Chris

Being from St. Louis, I can't get enough of baseball right now.  The Cubs and Brewers didn't put us away when they had the chance and now we have a shot at the division win.  I started wondering about all the different stadium being build and wondered if Live.com would show the new stadiums or the old. I decided to bookmark all the sites and see which ones showed up and wouldn't you know it the only one old picture was Busch Stadium (although the Rangers Stadium didn't quite look right to me).

Anyway, here are my the bookmarks:

http://local.live.com/?v=2&cid=2B396B3160473E4C!759&encType=1