Re: XP Users Can't Access After Upgrade/Migration

From: Roger Abell [MVP] (
Date: 07/01/03

Date: Mon, 30 Jun 2003 23:46:09 -0700

There are a few things you can check, and just what one may
be operative will depend on what Bernard has asked, and also
possibly on whether the webserver and/or clients are within an
uplevel domain or are being used stand-alone or with local login.

The following are all to be found in the group policy effective
for the machines, and are worth checking if the IIS is set to
allow Windows authentication and the browser is IE
First, XP Pro tends for some incomprehensible reason to not
   come by default set to do NTLM v2. If you check in the local
   security settings within policy you may find it is set (at least
   initially) to use LM and NTLM . This is a problem if the W2k
   is set to only use NTLM v2 and you are using Windows
   authentication on the IIS.
Second, if the above does not fix you up, examine the settings
   on client and server, for signing digital communications. If you
   find them such that server requires, or tries, and client will always
   or if server agrees, basically any combo so that they will come
   up with a negotiation to use digital signing, then this can be the
   problem if the XP is at Sp1 and W2k at Sp3 or 2. Try setting
   so that they will not agree to digitally sign communications.
   I am hoping this is fixed with W2k Sp4 but I have not had time
   to investigate.


"Rick" <> wrote in message
> We have a website that is running IIS 4 and Windows NT 4 server. I
> the website to IIS5 Windows 2000 server. The website authenticates
> from the web server to a midrange box.
> There is the problem:
> Users with Windows XP can not login to the website after moving the
> to IIS 5 and W2K server (NT workstations works fine) .
> The same website running on IIS4 and NT 4 server allows both users with XP
> and NT workstations to authenticate. Its not a rights issue because the
> same users on different OS seem to encounter problems when try to
> authenticate for via the XP OS. Any ideas ? The IIS settings are exactly
> the same on both IIS 4 and IIS 5. I even drilled down to the file leave
> security. The obvious difference is between IIS 4 vs. IIS 5 and NT4
> vs. W2K server.

Relevant Pages

  • Re: Integrated Windows Authentication Timeout?
    ... Do you see anything different for the NTLM requests? ... You might consider enabling protocol transition authentication since you are ... Joe Kaplan-MS MVP Directory Services Programming ... server. ...
  • Re: OK, I must be retarded or something...
    ... Here is what I have now in my settings now ... Tab ... Do I need to do something with POP3 Virtual Server? ... You can't disable anonymous authentication, as that is what all other ...
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
  • Re: Integrated authentication and IE proxy settings
    ... ISA server for all requests. ... Check your Netowrks/Internal/Properites/Web Browser settings. ... IE Options/Advanced/Enable Integrated Windows Authentication is ...
  • Re: Integrated authentication and IE proxy settings
    ... IE Options/Connections/LAN Settings/Proxy Server points to a specific IP ... IE Options/Advanced/Enable Integrated Windows Authentication is checked. ... I reset IE Security level to default for all zones - still prompts. ... This behavior is governed by the security settings of IE. ...