Re: Strange auth denial with IE Integrated Security and IIS; but not Firefox, Netscape

From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 12/02/04 

Date: Thu, 2 Dec 2004 12:57:09 +0800

As pointed out earlier -
default if the key is missing then the value is
'Negotiate,NTLM'

You can't configure this in IIS MMC, but via adsutil.vbs 

-- 
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Kwan Lim" <speedsticko@hotmail.com> wrote in message
news:55ba83bd.0412011359.3c3667e4@posting.google.com...
> Can someone explain why "NTAuthenticationProviders" would be missing
> from the Metabase?
>
> I had a problem where users would not be able to authenticate even
> though I turned on Windows Authentication and configured my ASP.Net
> app to use impersonation.
>
> Only after adding "NTAuthenticationProviders" and setting it to NTLM
> were users able to log on.
>
> I don't have much knowledge about this. I only stumbled on this after
> finding the Metabase Explorer and comparing sites that worked and
> sites that didn't.
> So another question is, how would I set "NTAuthenticationProviders"
> through the IIS Manager?
>
> Thanks,
> Kwan
>
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
news:<ewXkQ9e0EHA.2192@TK2MSFTNGP14.phx.gbl>...
> > Thanks :)
> >
> > And yes - default there's no entry for
> >  "NTAuthenticationProviders".
> >
> > it should be 'Negotiate,NTLM' if it's default.
> > -- 
> > Regards,
> > Bernard Cheah
> > http://www.tryiis.com/
> > http://support.microsoft.com/
> > http://www.msmvps.com/bernard/
> >
> >
> >
> > "Kevin C" <kc@noneya.com> wrote in message
> > news:eG4UMXe0EHA.2016@TK2MSFTNGP15.phx.gbl...
> > > You were pretty close on the money with you post about:
> > >  "What I suspect is Kerberos auth failed, when the "Enable Windows
> > > Integrated Authentication" is on. IE will force kerberos auth, without
it,
> > > it will pick NTLM if kerberos failed."
> > >
> > > Excuse me if I go off in a dream world - I Just took a ambian to help
me
> > > sleep ;)
> > >
> > > We are on AD.  By default when a machine is added to the AD the
machine's
> > > LOCAL and NETWORK service accounts are registered with AD. These are
> > > obviously the accounts that are tarted to run asp.net web apps by
default.
> > > By being registetred with AD those two accounts can be authenticated
by AD
> > > from that machine.  Since I am using a custom account, AD does not
have an
> > > SPN registerd for that useraccount so auth fails.
> > >
> > > I dont have domain admin right so I took anther route and forced NTLM
> > > security checks - did this by modifying the metabase.  This of course
> > > happens between the two machines and not AD.  Nevertheless, the
parties in
> > > place can determine authoriaztion.
> > >
> > > But had I asked a Domain Admin to run the spnreg utility for the
domain
> > > accout I was trying to use I am confident it would have also worked.
The
> > > devil was in the details of this article.
> > >
> > >
> >
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ca_cfgwrkridentity.asp
> > >
> > > But here was another wierd thing.  When I open up the web site's
metabase
> > > there was not an entry for "NTAuthenticationProviders".  I believe
that
> > > falls back to Kerberos only in II6 (but dont quote me).   So, in order
to
> > > force NTLM (like I mentioned above) I just added
> >  "NTAuthenticationProviders
> > > : "NTLM"
> > >
> > > Does this make sense?
> > >
> > > Kevin Cunningham [SARK]
> > >
> > >
> > > ... I just read the article a day too late :^<
> > >
> > >

Relevant Pages