I'm building an Intranet Web app to track our company's purchase orders. I
would like to have the employees use the app without being prompted for a
user name and pw, hoping to catch their identities from their Windows account.

Since it's an Intranet app, I'm using Windows authentication, and denying
anonymous access.
Here are the web.config settings for authentication and authorization:
<authentication mode="Windows" />
<identity impersonate="true"/>
<authorization>
<deny users="?" /> <!-- Allow all users -->
</authorization>

In my Page_load event, I am able to get the user's identity once he logs in
to the app, and then I pass that identity to a SQL Server db to retrieve
other info about the employee.

   Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
       
       If Not Page.IsPostBack Then
           Dim wp As WindowsPrincipal
           If Page.User.Identity.IsAuthenticated AndAlso TypeOf
User.Identity Is WindowsIdentity Then
               
               Try
                   wp = DirectCast(Page.User, WindowsPrincipal)
                   Session("FullDomainName") = wp.Identity.Name

                   'Check for valid employee in SQL Server db.
                   If IsValidEmployee(Session("FullDomainName"),
Session("ConnectStringSQL")) Then
                    'Welcome the user.
                    lblUser.Text = "Welcome " & Session("FirstName") & " "
& Session("LastName") & "!"
                   
                    Catch ex As Exception
                   lblError.Text = ex.Message
                   imbCreatePO.Visible = False
                   imbTrackPO.Visible = False
                   imbApprovePO.Visible = False
               End Try

           End If
       End If
     End If
   End Sub

What am I missing that is causing the app to display the prompt for a user
name and password? Shouldn't it recognize that the employee is already logged
in to Windows?