RE: Correct Domain User/Pass/Domain credentials rejected
From: Lisa Cozzens [MSFT] (lcozzens_at_online.microsoft.com)
Date: Thu, 31 Jul 2003 22:59:33 GMT
The big difference between having "Enable Windows Integrated
Authentication" checked vs. unchecked is that if it's unchecked, IE always
uses NTLM to authenticate. If it's checked, IE and IIS negotiate whether to
use NTLM or Kerberos, and Kerberos usually ends up being the winner. So if
things work with that box unchecked but not with it checked, I would
suspect something is going on with Kerberos.
Alternatively, you can force IIS to only use NTLM:
215383 HOW TO: Configure IIS to Support Both Kerberos and NTLM
Again, if forcing NTLM makes everyone work, I'd suspect Kerberos is the
You can verify this by turning on logon auditing on the IIS server. Make
sure you log both success and failure. You'll be able to see the
authentication package used (NTLM vs. Kerberos). If all the NTLM logons are
successes and all the Kerberos logons are failures... well, then that
supports the hypothesis that Kerberos is the issue.
Is the server up-to-date on all its patches? I've seen unexplainable
Kerberos failures due to...
318225 IIS May Return HTTP Status 401 Every 30 Days When You Use Kerberos
..but that was fixed in SP3.
Also, try entering the username/password three times. You should receive a
more detailed error message, including an error code probably starting with
a 401 or 403. I would suspect it's a 401.1 Login Failed, but I could be
wrong, and it's worth verifying. That error message could point you towards
the actual source of the problem, e.g. if you get a 401.3 Access denied due
to ACL on resource, you'll want to check user rights and NTFS permissions.
Hope this helps,
> I have several clients of two web based systems who are being prompted
> a popup for their name and password for a website. This is fine since it
> was configured in this way. The problem is that they (and on some
> myself) put in the proper credentials Username - Password - Domain and it
> doesn't take it. Yes, I know I typed it in correctly, and so did these
> users. We are all on IE6, and I unchecked "Enable Windows Integrated
> Authentication" and on most of us, this solved the problem.
> The users are configured to have to NOT logon automatically, we are not
> implementing Single Signon. So we don't mind the popup asking for the
> password, just that it rejects perfectly good credentials.
> Why, if the user is putting in the correct username/password/domain, are
> they being rejected? They use the same information to log on to their
> machines with no problem. Where is the break in the validation?; the IE6
> settings, the proxy, the Domain Controller, Kerberos, or IIS itself?
> If anyone with any insight on this mystery would be so kind as to post a
> reply, I would be most appreciative.
This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.
© 2003 Microsoft Corporation. All rights reserved.