Hi Stefano,
I know this is a late response.
Based on your description, you're hosting an application on IIS running on Windows Server 2022, joined to your Active Directory domain. You've enabled Windows Authentication and deployed the site URL via Group Policy to be recognized as a trusted intranet site. However, users are still being prompted for credentials when accessing the application through browsers like Edge, Chrome, or Firefox.
Let's walk through a few steps together to make sure nothing is missing:
- Since you are using Windows Authentication, please double-check Authentication Settings in IIS:
- Anonymous Authentication is disabled
- Windows Authentication is enabled
You can verify this in IIS Manager under:
Sites -> YourSite -> Authentication
Here's a Microsoft doc that walks you through it:
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/
- Browsers like Edge and Chrome (which inherit IE zone settings via the Internet Options API) rely on Intranet Zone to automatically pass credentials without prompting.
Please verify Group Policy Configuration for Intranet Zone:
- Open
gpedit.msc
- Navigate to:
Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page
- Open Site to Zone Assignment List
- Ensure your IIS app's URL is assigned to Zone 1 (Intranet Zone), not Trusted Sites.
Trusted Sites (Zone 2) does not allow automatic login with current credentials by default.
More on that here:
https://techcommunity.microsoft.com/discussions/windowspowershell/site-to-zone-assignment-list---powershell/4084060
- Different bowsers handle Windows Authentication differently:
- For Edge/Chrome: These browsers use Windows Security Zones.
- For Firefox: Configure
network.automatic-ntlm-auth.trusted-uris in about:config to include your site.
For better understanding, you can check out this link:
https://helpdesk.thoughtfarmer.com/hc/en-us/articles/1500005844122-How-to-enable-Windows-SSO-login-on-browsers#:~:text=Edge%20%2F%20Google%20Chrome%201%20Open%20the%20Windows,name%20and%20password.%206%20Click%20OK.%20More%20items
- If you are expecting Kerberos (rather than falling back to NTLM), ensure that:
- The server hosting the IIS app must have a valid Service Principal Name (SPN) registered.
- There are no duplicate SPNs that could be interfere with proper Kerberos authentication.
setspn -Q HTTP/yourservername
If the SPN is missing or duplicated, Kerberos may fail and fall back to NTLM, which can cause login prompts.
- If you're not using a custom domain name or load balancer, and your app pool runs under
ApplicationPoolIdentity, you may not need to configure SPNs manually.
For more information:
https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/troubleshoot-kerberos-failures-ie
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 72%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 62%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETT%3C/text%3E%3C/svg%3E)