RE: Correct Domain User/Pass/Domain credentials rejected

From: Lisa Cozzens [MSFT] (lcozzens_at_online.microsoft.com)
Date: 08/01/03


Date: Thu, 31 Jul 2003 22:59:33 GMT


The big difference between having "Enable Windows Integrated
Authentication" checked vs. unchecked is that if it's unchecked, IE always
uses NTLM to authenticate. If it's checked, IE and IIS negotiate whether to
use NTLM or Kerberos, and Kerberos usually ends up being the winner. So if
things work with that box unchecked but not with it checked, I would
suspect something is going on with Kerberos.

Alternatively, you can force IIS to only use NTLM:
215383 HOW TO: Configure IIS to Support Both Kerberos and NTLM
Authentication
http://support.microsoft.com/?id=215383
Again, if forcing NTLM makes everyone work, I'd suspect Kerberos is the
problem.

You can verify this by turning on logon auditing on the IIS server. Make
sure you log both success and failure. You'll be able to see the
authentication package used (NTLM vs. Kerberos). If all the NTLM logons are
successes and all the Kerberos logons are failures... well, then that
supports the hypothesis that Kerberos is the issue.

Is the server up-to-date on all its patches? I've seen unexplainable
Kerberos failures due to...
318225 IIS May Return HTTP Status 401 Every 30 Days When You Use Kerberos
http://support.microsoft.com/?id=318225
..but that was fixed in SP3.

Also, try entering the username/password three times. You should receive a
more detailed error message, including an error code probably starting with
a 401 or 403. I would suspect it's a 401.1 Login Failed, but I could be
wrong, and it's worth verifying. That error message could point you towards
the actual source of the problem, e.g. if you get a 401.3 Access denied due
to ACL on resource, you'll want to check user rights and NTFS permissions.

Hope this helps,
Lisa

--------------------
> Hello,
>
> I have several clients of two web based systems who are being prompted
with
> a popup for their name and password for a website. This is fine since it
> was configured in this way. The problem is that they (and on some
machines
> myself) put in the proper credentials Username - Password - Domain and it
> doesn't take it. Yes, I know I typed it in correctly, and so did these
> users. We are all on IE6, and I unchecked "Enable Windows Integrated
> Authentication" and on most of us, this solved the problem.
>
> The users are configured to have to NOT logon automatically, we are not
> implementing Single Signon. So we don't mind the popup asking for the
> password, just that it rejects perfectly good credentials.
>
> Why, if the user is putting in the correct username/password/domain, are
> they being rejected? They use the same information to log on to their
> machines with no problem. Where is the break in the validation?; the IE6
> settings, the proxy, the Domain Controller, Kerberos, or IIS itself?
>
> If anyone with any insight on this mystery would be so kind as to post a
> reply, I would be most appreciative.
>
> Thanks,
>
> D.
>
>
>

-----
This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.
2003 Microsoft Corporation. All rights reserved.



Relevant Pages

  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Windows Authentication problem with IIS6 (Win2k3)
    ... Authentication Protocol is Integrated ... Jeff - Thank you SOOOOO much - your suggestion to check out the IIS ... regardless of the IE setting regarding Enabling Integrated Windows ... >>I believe the problem to be something related to the Kerberos technology, ...
    (microsoft.public.inetserver.iis)
  • Re: Windows Authentication problem with IIS6 (Win2k3)
    ... Authentication Protocol is Integrated ... Jeff - Thank you SOOOOO much - your suggestion to check out the IIS ... regardless of the IE setting regarding Enabling Integrated Windows ... >>I believe the problem to be something related to the Kerberos technology, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Cannot resolve KDC error 11
    ... > Services (IIS) is not enabled for both Kerberos and NTLM authentication. ... > Regarding how to configure IIS to support both Kerberos and NTLM ...
    (microsoft.public.windows.server.sbs)
  • Re: integrated vs basic
    ... I create an IIS site http://mysite and only set it up to use integrated ... > Integrated Windows Authentication actually involves two separate ... > The first currently means Kerberos, ... and generally firewalls block access ...
    (microsoft.public.inetserver.iis.security)