site to zone assignment wildcard

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Group Policy and Internet Explorer's Site to Zone assignment issues?

We are using GPO to apply Site to Zone assignements for our users so that we can add some specific addresses into their Internet Explorer's Intranet and Trusted zones.

Using the Site to Zone GPO setting I have setup..

*.domain.com 1

The "domain.com" is our internal domain so I want anywebsite.domain.com to be treated as an intranet site to allow for SSO authentication to some of these websites that support it.

However this does not seem to work, adding *.domain in the local intranet zone prompts for a password when trying to hit websites that make use of SSO.

When I add the complete address of the internal site that prompts for a password "mywebsite.domain.com" to the local intranet zone then SSO works and the user is not prompted for a password.

I am trying to set this up so we don't always have to add websites into this GPO setting and wait for it to apply on client computers etc.. instead use *.domain.com to cover any subdomain.

Why can't we use wild cards in the site to zone assignment for local intranet or is my syntax incorrect?

To recap, a setting like this does not allow SSO:

This works:

mywebsite.domain.com 1 support.domain.com 1

The number "1" is the zone assignment, in this case "Local Intranet Zone" in Internet Explorer.

group-policy
authentication
internet-explorer
single-sign-on
Does it work if you use domain.com not *.domain.com? – Greg Askew Commented May 7, 2015 at 15:54
I have not tried, I figured it may need the wildcard to cover all sub-domains; will try this. – user146882 Commented May 7, 2015 at 16:20
that did not work as well, changing *.domain.com to domain.com has no effect – user146882 Commented May 7, 2015 at 16:49
Is the problem that the site is not showing in the Intranet zone, or that SSO is not working for that site when it is in the Intranet zone? – Greg Askew Commented May 7, 2015 at 16:50
did you add http:// or https:// in front of *.domain.com? Did IE recognize host.domain.com as intranet (in status bar)? – strongline Commented May 7, 2015 at 16:50

Easy thing. Just say http://*.DOMAIN.COM 1

*.domain.com isnt enough

this worked, added a record for http://*.domain.com, https://*.domain.com, and *.domain.com as local intranet zone (1), tested via IE and SSO works; now I can take out the mymanysubdomains.domain.com out of the GPO :) Thanks!! – user146882 Commented May 7, 2015 at 19:13

You must log in to answer this question.

The Overflow Blog
A student of Geoff Hinton, Yann LeCun, and Jeff Dean explains where AI is headed
Meet the guy responsible for building the Call of Duty game engine
Featured on Meta
More network sites to see advertising test
We’re (finally!) going to the cloud!

Hot Network Questions

Is anyone in the Tanakh referred to by their mother's name?
Can I license artwork that has a mixture of CC BY-SA, public domain, CC0, Pexels licensed images under CC BY-SA?
Why isn't my beautiful city of light full of smog from the factories right below it?
How is некому interpreted when used with a verb that takes a dative object?
Two node High Availability clusters
Perfect ruler search
Weird behaviour of NProbability
What happens to a motion under Robert’s Rules of Order if a member resigns from the body mid-deliberation?
What is the right interpretation of Lk 10:18 with cross reference to Mtt 17:19-21?
How to legally sell a house without owing income taxes?
What would an A.B.C. mean, in London around 1920?
Is there something like Z-score but for highly skewed distributions?
What do the writings of the NKVD general Lyushkov after his defection to Japan contain?
Clear but not glass
What are the best weapons/methods for maiming a rapidly-healing humanoid target?
Which denominations of Christianity are against the easement of suffering via medical science, and what is the justification that they use?
Meaning difference between "somebody be seen to do" and its active counterpart
Why aren't hydraulic pumps included in the list of simple machines?
How quickly can Zeus get to his destination?
How do we detect black hole?
Is this hurried effort to buy my car a scam?
McNaughton-Yamada-Thompson algorithm for converting regex to NDFA
Sets of integers with same sum and same sum of reciprocals
What would be the delta in recoil between a firearm and a magnetic gun?

techlauve.com – a knowledge base for IT professionals.

Inhale problems, exhale solutions..

Nick’s Blog
Active Directory
Privacy Policy

« Outlook: “Sending and Receiving reported error (OX80040600)”

Terminal Server Does Not Accept Enough Client Connections »

Adding Sites to Internet Security Zones Using Group Policy

Sometimes it is useful to leverage the power of Group Policy in Active Directory to add sites to certain security zones in Internet Explorer. This can save the network admin the trouble of managing the security zone lists for each computer (or user) separately. In the following example, each user on the network needs to have a specific site added to the Trusted Sites list.

This tutorial assumes that group policy is in good working order on the domain and that all client users and computers can access the directory.

Open the Group Policy Management MMC console.
Right-click the organization unit (OU) that the policy should apply to, taking special care to consider whether the policy should apply to computers or users on this particular network.
Select “Create and Link a GPO Here…” to create a new group policy object.
In the “New GPO” window, enter a good, descriptive name for this new policy and click “OK”. (ex. “Trusted Sites Zone – Users” or something even more descriptive)
Locate the newly created GPO in the left-side navigation pane, right-click it and select “Edit…”
Expand “Administrative Templates” under either “Computer Configuration” or “User Configuration” depending on which type of OU the new policy was linked to in step 2.
The path to the settings that this example will be using is: Administrative Templates -- Windows Components -- Internet Explorer -- Internet Control Panel -- Security Page
In the right-hand pane, double-click “Site to Zone Assignment List”.
Enable the policy and click the “Show…” button next to “Enter the zone assignments here.” This will pop up the “Show Contents” window.
Click the “Add…” button. This will pop up the “Add Item” window.
In the first box, labeled “Enter the name of the item to be added:”, enter the URL to the site. (ex. https://secure.ourimportantwebapp.com) . Keep in mind that wildcards can be used. (ex. https://*.ourimportantdomain.com) . Leave off any trailing slashes or sub-folders unless that type of specific control is called for.
1 – Intranet Zone
2 – Trusted Sites Zone
3 – Internet Zone
4 – Restricted Sites Zone
Once the zone assignment has been entered, click “OK”. This will once again show the “Show Contents” window and the new entry should be present.
Click “OK” and “OK” again to get back to the Group Policy Management Console.

The new policy will take effect at the next group policy refresh interval, which is usually 15 minutes. To test immediately, run a gpupdate /force on a user/computer that falls into the scope of the new policy and go to “Tools -> Internet Options -> Security -> Trusted Sites -> Sites”. The site(s) added should be in the list. If the sites do not show up, check the event logs for any group policy processing errors.