I have a problem with NTLM single-sign-on with IE8.
We've got multiple domain controllers and users from multiple domains that we try to authenticate to a web application via NTLMv1 passthru.
Somehow IE fails to send the user's domain in the NTLM Type 1 message. This has the effect that the webapp can not match users properly to their domain controllers, resulting in failed logon attempts, because a user from domain X tries to authenticate to domain controller Y.
This problem does not occur with Firefox, as it always sends the correct domain header.
So: how do I get IE to send the domain in the NTLM header?
IE will only pass the domain if it is part of the local intranet. Check your intranet settings / group policy to determin if you have turned off that section.
Ok, I think I found the solution. IE never sends the domain, unless the target is the localhost. So if the ntlm implementation can't defer AD resolution until message type 3, you're out of luck.
A detailed desrciption of the issue: http://lists.samba.org/archive/jcifs/2004-April/003363.html