Re: 401 - Error from WebServer

From: Chris (chrisadonline@microsoft.com)
Date: 10/09/02


From: chrisadonline@microsoft.com ("Chris")
Date: Wed, 09 Oct 2002 20:10:27 GMT


Hey..
 
This is normal if you have anonymous authentication disabled and are using
Basic and\or NTLM. The authentication handshake assumes anonymous first
(no matter the setting) and the browser depends on IIS to respond with the
correct WWW-Authenticate header.

If anonymous is disabled, IIS will send in the header the correct methods
to use like Basic, Negotiate (for Kerberos), or NTLM for NTLM. With that
said, you should always see a 401.1 Login Failed in your logs for any
content that is not using anonymous and then a subsequent authenticated log
entry with the username. This is all by design.

Here is the article that discusses this...

Q264921 INFO: How IIS Authenticates Browser Clients
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q264921

HTH,

~Chris
Microsoft IIS Technical Lead

“Please do not send email directly to this alias. This is our online
account name for newsgroup participation only.”

This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved



Relevant Pages

  • Re: 401 error for user that used to logon fine
    ... Was over the Internet and you were right. ... > Why are you getting prompted by NTLM? ... How IIS Authenticates Browser Clients ... > Directory with Integrated Authentication ONLY -or- NTFS permissions ...
    (microsoft.public.inetserver.iis.security)
  • RE: ADS Password Storage Protection
    ... In Windows it is LM or NT (sometimes called NTLM) hashes. ... NTLMv2 refers to the authenication protocol that exchanges the hash ... between the client and server authentication database. ...
    (Security-Basics)
  • RE: Correct Domain User/Pass/Domain credentials rejected
    ... Authentication" checked vs. unchecked is that if it's unchecked, ... use NTLM or Kerberos, and Kerberos usually ends up being the winner. ... you can force IIS to only use NTLM: ...
    (microsoft.public.inetserver.iis.security)
  • Re: Relationship between IIS security and .NET AuthenticationManager
    ... Implementing NTLM on your own is hard - you have to program against the SSPI API - which is unmanaged ... just as IIS implements NTLM - you could write your own implementation in Cassini - ... HTTP-level authentication? ... security and AuthenticationManager security interrelate in the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)