phenomenon : The site set for the AD integration certification, but when the visit is prompted to enter account password. Three times after the error occurred.
Scenario : Run under C:\Inetpub\Adminscripts: cscript adsutil.vbs set w3svc/ntauthenticationproviders "NTLM" modifies the validation mechanism.
The original text reads as follows:
http://support.microsoft.com/kb/871179
you receive an error message when you try to access a Web site that is part of the IIS6.0 Application pool: HTTP error 401.1-unauthorized:access is denied due to invalidcredentials 401.1-Not authorized: Access denied due to invalid credentials
View the products that this article applies To
Expand All | Close all
Symptoms
when you try to access a Microsoft Internet information Services (IIS) 6.0 Web site that is configured to use integrated Windows authentication only, you are prompted to enter user credentials. ...
When you try to access a Microsoft Internet information Services (IIS) 6.0 Web site that is configured to use Integrated Windows authentication only, you are prompted to enter user credentials. When you try to log on, you receive a login prompt again. After you make a three logon attempt, you receive the following error message:
HTTP Error 401.1-not authorized: Access is denied due to invalid credentials.
Back to the top
Reason
This problem may occur if the following conditions are true: the IIS 6.0 Web site is part of the IIS application pool. The application pool runs under a local account or a domain user account. The site is configured to use only integrated Win ...
This problem may occur if the following conditions are true:
· The IIS 6.0 Web site is part of the IIS application pool.
· The application pool runs under a local account or a domain user account.
· The Web site is configured to use integrated Windows authentication only.
In this case, Kerberos authentication may not work when integrated Windows authentication attempts to use Kerberos. To use Kerberos authentication, the service must register the service principal name (SPN) of the service under an account in the Active Directory directory service that runs the account used by the service. By default, Active Directory registers the computer name of network basic input/output system (NetBIOS). Active Directory also allows Kerberos to be used by network services or local system accounts.
Back to the top
Solution
If this problem occurs when you run the application pool under a local account, follow the steps in the workaround section. To resolve this issue when running the application pool under a domain user account, use the NetBIOS name and ...
If this problem occurs when you run the application pool under a local account, follow the steps in the workaround section.
To resolve this issue when running the application pool under a domain user account, use the NetBIOS name and the fully qualified domain name (FQDN) of the domain user account that is used to run the application pool to set the HTTP SPN. To do this, follow these steps on the domain controller:
Important : The SPN for a service can only be associated with one account. Therefore, if you use this recommended solution, any other application pools that run under a different domain user account cannot be used only with integrated Windows authentication.
1. Install the Setspn.exe tool. To obtain the Microsoft Windows 2000 version of this tool, visit the following Microsoft Web site:
Http://www.microsoft.com/downloads/details.aspx? Familyid=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&displaylang=en (http://www.microsoft.com/downloads/ Details.aspx? familyid=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&displaylang=en)
Microsoft WindowsServer Version 2003 is available on the Windows Server 2003 SupportTools (Windows Server 2003 Support Tools) included on the 2003 CD The Setspn.exe command line tool for this. To install these tools, double-click the Suptools.msi file in the Support/tools folder.
2. Open a Command Prompt window and change to the Setspn.exe installation directory.
3. At the command prompt, type the following commands. Press ENTER after you type each command:
Setspn.exe-a http/iis_computer ' s_netbios_namedomainname\UserName
Setspn.exe-a http/iis_computer ' s_fqdn domainname\UserName
Note : Username is the user account that is used to run the application pool.
After you set the SPN for the HTTP service to the domain user account that is used to run the application pool, you can successfully connect to the Web site without prompting you for user credentials.
Back to the top
Alternative methods
to resolve this issue when you have multiple application pools running under a different domain user account, you must force IIS to use NTLM as the authentication mechanism if you want to work with integrated Windows only ...
To resolve this issue when you have multiple application pools running under a different domain user account, you must force IIS to use NTLM as the authentication mechanism if you want only integrated Windows authentication. To do this, follow these steps on the server that is running IIS:
1. Open a Command Prompt window.
2. Locate and then change to the directory containing the Adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.
3. Type the following command, and then press Enter:
cscript adsutil.vbs set w3svc/ntauthenticationproviders "NTLM"
4. To verify that the NTAuthenticationProviders metabase property is set to NTLM, type the following command, and then press Enter:
cscript adsutil.vbs get w3svc/ntauthenticationproviders
The following text should be returned:
NTAuthenticationProviders: (STRING) "NTLM"
Back to the top
State
This behavior is caused by design.
This behavior is caused by design.
Back to the top
More information
If you set the SPN using only the FQDN of the server that is running IIS, you will be prompted to enter the user credentials after 30 minutes. Because Internet Explorer caches the domain Name System ...
If you set the SPN using only the FQDN of the server that is running IIS, you will be prompted to enter the user credentials after 30 minutes. Due to the way Internet Explorer caches domain Name System (DNS) information, there will be a 30-minute timeout problem. After 30 minutes, Internet Explorer will revert to the NetBIOS name. Therefore, you must also ensure that the SPN is registered using the NetBIOS name of the server running IIS to avoid prompting you for user credentials. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
How 263558 (http://support.microsoft.com/kb/263558/) Internet Explorer uses caching for DNS host entries
To authenticate the registered SPN for the user account that is used to run the application pool, open a command Prompt window, type the following command from the Setspn.exe installation directory, and then press Enter:
Setspn.exe-l UserName
A list of registered SPNs for the user account will be returned.