Why does Internet Explorer keep asking me for NTLM credentials in an intranet zone?

Long text, sorry for that. I'm trying to be as specific as possible.

I'm on Windows 7 and I experience a very frustrating Internet Explorer 8 behavior. I'm in a company LAN with some intranet servers and a proxy for connecting with the outside world.

On sites that are clearly recognized as being "Local Intranet" (as indicated in the IE status bar) I keep getting "Windows Security" dialog boxes that ask me to log in. These pages are served off an IIS6 with "Integrated Windows Security" enabled, NTFS permits Everyone:Read on the files themselves.

• If I enter my Windows credentials, the page loads fine. However, the dialog boxes will be popping up the next time, regardless if I ticked "Remember my credentials" or not. (Credentials are stored in the "Credential Manager" but that does not make any difference as to how often these login boxes appear.)
• If I click "Cancel", one of two things can happen: Either the page loads with certain resources missing (images, styleheets, etc), or it does not load at all and I get HTTP 401.2 (Unauthorized: Logon Failed Due to Server Configuration). This depends on whether the logon box was triggered by the page itself, or a referenced resource.
• The behavior appears to be completely erratic, sometimes the pages load smoothly, sometimes one resource triggers a logon message, sometimes it does not. Even simply re-loading the page can result in changed behavior.

I'm using WPAD as my proxy detection mechanism. All Intranet hosts do bypass the proxy in the PAC file.

I've checked every IE setting I can think of, entered host patterns, individual host names, IP ranges in every thinkable configuration to the "Local Intranet" zone, ticked "Include all sites that bypass the proxy server", you name it. It boils down to "sometimes it just does not work", and slowly I'm losing my mind. ;-)

I'm aware that this is related to IE not automatically passing my NTLM credentials to the webserver but asking me instead. Usually this should only happen for NTLM-secured sites that are not recognized as being in the "Intranet" zone.

As explained, this is not the case here. Especially since half of a page can load perfectly and without interruption and some page's resources (coming from the same server!) trigger the login message.

I've looked at http://support.microsoft.com/kb/303650, which gives the impression of describing the problem, but nothing there seems to work. And frankly, I'm not certain if "manually editing the registry" is the right solution for this kind of problem. I'm not the only person in the world with an IE/intranet/IIS configuration, after all.

I'm at a loss, can somebody give me a hint?

There is no .NET involved at all in the pages in question. It wont matter what I configure there.

No, passwords are fine. That was the first thing I checked, naturally. Besides, there would be no partial page loads and erratic "sometimes it works, sometimes it doesn't" behavior if the password was expired.

The intranet sites are not being loaded through the proxy. But I can give it a shot.

After switching off the proxy altogether and manually adding our Intranet FQDN to the "Intranet" zone in IE, it seems to work ATM. I've not tested for long, so I can't be absolutely sure. Maybe it's some WPAD peculiarity? After all, the PAC file returns "DIRECT" for this FQDN as well…

Seems like you found your answer if disabling the proxy worked. I was going to suggest trying Firefox and adding the site's name to the ntlm setting in the about:config page and see if that was working.

Unfortunately, this is nothing I can change. Domain GPOs are controlling this setting. Also this does not explain the erratic behavior, I would expect it to fail all the time when low level authentication settings are wrong. :-\

To 1 and 2: Yes. Very puzzling.

I would, but that link is broken.

That makes it feel like GPO or the IIS config are to blame...

I'm sorry, link is fixed.

Hm. No dice. I also rather not use the credential manager for something that should be transparent authentication with my own account.