Phenomenon: The site is set as AD integrated authentication, but when accessing it, it is still prompted to enter the account password. An error occurred three times later.
Solution: in C: \ Inetpub \ Adminscripts run below: cscript adsutil. VBS set w3svc/NTAuthenticationProviders “NTLM” modify the authentication mechanism.
The text reads as follows:
http://support.microsoft.com/kb/871179
Ok when trying to Access a site that’s part of the IIS6.0 application pool, you get an Error message: “HTTP Error 401.1 – Access is denied due to Invalidcredentials” (HTTP Error 401.1 – Unauthorized:Access denied due to Invalidcredentials)
See the products this article applies to
Expand all | close all
symptoms
When you try to access a Microsoft Internet Information Service (IIS) 6.0 site configured to use only integrated Windows authentication, you are prompted for user credentials. .
When you try to access a Microsoft Internet Information Service (IIS) 6.0 site configured to use only integrated Windows authentication, you are prompted for user credentials. When you try to log in, you will receive another login prompt. After three login attempts, you receive the following error message:
HTTP error 401.1 – unauthorized: Access denied due to invalid credentials.
Back to the top
why
This problem can occur if an IIS 6.0 web site is part of an IIS application pool. The application pool runs under either a local account or a domain user account. The site is configured to use only integrated Win…
This problem can occur if:
· The IIS 6.0 site is part of the IIS application pool.
· Application pools run under local accounts or domain user accounts.
· The site is configured to use only integrated Windows authentication.
In this case, Kerberos authentication may not work when an integrated Windows authentication attempt is made to use Kerberos. To use Kerberos authentication, the service must register the service principal name (SPN) of the service under the account in the Active Directory Directory service (the account used to run the service). By default, Active Directory registers the computer name of the network’s basic input/output system (NetBIOS). Active Directory also allows the use of Kerberos for network services or local system accounts.
Back to the top
The solution
If this problem occurs while running the application pool under a local account, follow the steps in the Alternative Methods section. To resolve this problem when running the application pool under a domain user account, use the NetBIOS name and…
If this problem occurs while running the application pool under a local account, follow the steps in the Alternative Methods section. To resolve this problem when running the application pool under a domain user account, set the HTTP SPN using the NetBIOS name and the fully qualified domain name (FQDN) of the domain user account used to run the application pool. To do this, follow these steps on the domain controller:
important note: the service SPN can only be associated with one account. Therefore, if you use this suggested solution, any other application pool running under different domain user accounts cannot be used solely with integrated Windows authentication.
1. Install the setspn. exe tool. To obtain the Microsoft Windows 2000 version of this tool, visit the following Microsoft web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46& displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46& displaylang=en)
Microsoft WindowsServer 2003 version of the setspn. exe command line tool is provided in WindowsServer 2003 SupportTools (WindowsServer 2003 SupportTools) included on WindowsServer 2003 CD. To install these Tools, double-click the Suptools.msi file in the Support/Tools folder.
2. Open a command prompt window and change to setspn.exe’s installation directory.
At the command prompt, type the following command. After typing each command, press Enter:
setspn.exe -a http/IIS_computer’s_NetBIOS_nameDomainName\UserName
setspn.exe -a http/IIS_computer’s_FQDN DomainName\UserName
Note: UserName is the user account used to run the application pool.
After setting the SPN of the HTTP service to the domain user account used to run the application pool, you can successfully connect to the web site without prompting you for user credentials.
Back to the top
Alternative methods
In cases where you have multiple pools of applications running under different domain user accounts, IIS must be forced to use NTLM as an authentication mechanism to resolve this issue (if you want to use only integrated Windows…
In cases where you have multiple pools of applications running under different domain user accounts, IIS must be forced to use NTLM as an authentication mechanism (if you want to use only integrated Windows authentication) to resolve this issue. To do this, follow these steps on the server where IIS is running:
1. Open a command prompt window.
2. Locate and change the directory containing adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.
3. Type the following command, then press Enter:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders”NTLM”
4. To verify NtAuthenticationProviders metadata attribute is set to NTLM, please type the following command, and then press Enter:
cscript adsutil.vbs get w3svc/NTAuthenticationProviders
The following text should be returned:
NTAuthenticationProviders : (STRING) "NTLM"
Back to the top
state
This behavior is caused by design.
This behavior is caused by design.
Back to the top
For more information
If you set the SPN using only the FQDN of the server on which IIS is running, you will be prompted for user credentials after 30 minutes. Because Internet Explorer caches the domain name system…
If you set the SPN using only the FQDN of the server on which IIS is running, you will be prompted for user credentials after 30 minutes. There is a 30-minute timeout due to the way Internet Explorer caches domain name system (DNS) information. After 30 minutes, Internet Explorer will revert to the NetBIOS name. Therefore, you must also ensure that the SPN is registered using the NetBIOS name of the server on which IIS is running, so that you are not prompted for user credentials. For more information, click the article number below to view the corresponding article in the Microsoft Knowledge base:
Internet Explorer 263558 (http://support.microsoft.com/kb/263558/) how to use the cache of DNS host item
To verify the registered SPN for the user account used to run the application pool, open a command prompt window, type the following command from the setspn.exe installation directory, and then press Enter:
setspn.exe -l UserName
A list of registered SPNS for the user account is returned.