IIS logging for Windows Integrated authentication

Article translations Article translations
Article ID: 969060 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

This article discusses the request and response communication between an HTTP client and an Internet Information Services (IIS) server when Windows Integrated authentication is configured. This article also illustrates the way that IIS logs this authentication process in the IIS logs.

MORE INFORMATION

Windows Integrated authentication uses both Kerberos v5 authentication and NTLM authentication. Kerberos is an industry-standard authentication protocol that is used to verify user identity or host identity. If Active Directory is installed on a domain controller that is running Windows 2000 Server, Windows Server 2003, or Windows Server 2008, and the client Web browser supports the Kerberos v5 authentication protocol, the client and the IIS server use Kerberos v5 authentication. Otherwise, the client and the IIS server use NTLM authentication.

Note For detailed information about Windows Integrated authentication, visit the following Microsoft Web site:
http://technet2.microsoft.com/WindowsServer/en/Library/80c79abb-348d-467a-92fe-825e696be3351033.mspx?mfr=true
The way that IIS logs NTLM and Kerberos authentication in the IIS log files is different, depending on what protocol is being used.

If the IIS server and the HTTP client that makes the Web request both support the Kerberos protocol, and IIS is configured to use Kerberos, log entries that resemble the following appear in the IIS log for the client request and server response:

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0 #Date: 2009-01-01 02:48:20
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2009-01-01 02:48:20 W3SVC1 <serverIP> GET / - 80 - <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 401 2 2148074254
2009-01-01 02:48:21 W3SVC1 <serverIP> GET / - 80 Domain\User <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 200 0 0

If either the IIS server or the HTTP client does not support the Kerberos protocol, or if the IIS server is configured to use only NTLM, the following types of log entries appear in the IIS log for the client request and server response:

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-01-05 02:29:47
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2009-01-01 02:29:47 W3SVC1 <serverIP> GET / - 80 - <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 401 2 2148074254
2009-01-01 02:29:47 W3SVC1 <serverIP> GET / - 80 - <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 401 1 0
2009-01-01 02:29:47 W3SVC1 <serverIP> GET / - 80 Domain\User <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 200 0 0

Windows Integrated authentication

IIS can be configured to support the Negotiate protocol, the NTLM protocol, or both. In IIS 6.0 and in earlier versions, this is done by configuring the NTAuthenticationProviders metabase key. In IIS 7.0, this is done by setting the appropriate <Provider> element under the <windowsAuthentication> element in the ApplicationHost.config file or in the web.config file.

For more informationabout how to configure Windows Integrated authentication in IIS 6.0 and in earlier versions, click the following article number to view the article in the Microsoft Knowledge Base:
215383 How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication
For more information about how to configure Windows Integrated authentication in IIS 7.0, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc754628.aspx

Kerberos authentication

The following are two scenario-based examples. In the first scenario, IIS is configured to support both the Negotiate protocol and the NTLM protocol. In the second scenario, only the Negotiate protocol is supported.

Scenario 1 – Negotiate protocol and NTLM protocol

In this example, IIS is configured to support both the Negotiate protocol and the NTLM protocol. In IIS 6.0 and in earlier versions, this is done by setting the NTAuthenticationProviders metabase key to "Negotiate,NTLM". In IIS 7.0 and in later versions, both the Negotiate protocol and the NTLM protocol must be listed as providers in the <windowsAuthentication> section.

Note In the following examples, the request header and the response header are captured by using the Microsoft Network Monitor 3.2 tool. To download the latest version of the Network Monitor Tool, visit the following Web site:
http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=4865
When Microsoft Internet Explorer makes a request, Internet Explorer always considers the first request of a new connection to be anonymous. Therefore, Internet Explorer does not send any credentials as part of the request. The following is an example of the request headers that Internet Explorer sends in the first request for a resource:

HTTP: Request, GET /
Command: GET
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.kerberos.com
Connection: Keep-Alive

If the IIS server is not configured to support Anonymous authentication, the IIS server returns a 401.2 status that tells the client that the client is unauthorized. Together with the error status, the server also sends a list of authentication protocols that the server supports. The response headers that IIS returns in this scenario resemble the following:

HTTP: Response, HTTP/1.1, Status Code = 401
ProtocolVersion: HTTP/1.1
StatusCode: 401, Unauthorized
Reason: Unauthorized
ContentLength: 1656
ContentType: text/html
Server: Microsoft-IIS/6.0
WWWAuthenticate: Negotiate
WWWAuthenticate: NTLM

After the IIS server sends this response, IIS writes the following associated entry to the IIS log:

<Date> <Time> W3SVC<ID> <serverIP> GET / - 80 - <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 401 2 2148074254

Note The win32 status of "2148074254" (also defined as -2146893042 / 0x8009030E / SEC_E_NO_CREDENTIALS) means "No credentials are available in the security package." In other words, the client has not sent any credentials.

After the client receives the 401.2 response from the IIS server, the client understands that IIS is configured to use Windows Integrated authentication instead of Anonymous authentication. Therefore, the client must provide appropriate authentication information in its request.

The client then makes a request that resembles the following:

HTTP: Request, GET /
Command: GET
URI: /
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.kerberos.com
Connection: Keep-Alive
Authorization: Negotiate
YIIJ5wYGKwYBBQUCoIIJ2zCCCdegJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCCa0EggmpYIIJpQYJKoZIhvcSAQICAQBugggtygmUMIIJkKADAgEFoQMCAQ6iBwMFACAAAACjggPMYYIDyDCCA8SgAwIBBaENGwtWQU5EQU5BLkNPTaIjMCGgAwIBAqEaMBgbBEhUVFAbEHd3dy5rZXJiZXJvc

Note In this article, the Kerberos ticket in the Authorization:Negotiate header has been truncated.

The IIS server receives the request. The IIS server sees that the client has included authentication information by adding the Authorization: Negotiate header and value. If the client has sent valid credential information, authentication is successful. IIS then sends the following response:

HTTP: Response, HTTP/1.1, Status Code = 200
ProtocolVersion: HTTP/1.1
StatusCode: 200, Ok
Reason: OK
Date: xxx, <Date> <Time> GMT
Server: Microsoft-IIS/6.0
ContentLength: 19
ContentType: text/html
WWWAuthenticate: Negotiate oYGhMIGeoAMKAQChCwYJKoZIgvcSAQICooGJBIGGYIGDBgkqhkiG9xIBAgICAG90MHKgAwIBBaEDAgEPomYwZKADAgEXol0EWxX5VcXsWZwSk7Q6NI5uYf/pLeQ7InM61FPS/ZED4FxR6MK/MK4RjgKgty4u3g143PhRwYr40hI/RAUpvTBeCubY8dOZR0BHG8RgdX2588vAXGIcZIpyRyYHYAmaJ8=

Note The detailed steps of how Kerberos authentication takes place is not included here. For more information about how Kerberos authentication works, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc758557.aspx
IIS then writes the following entry to the IIS log:

<Date> <Time> W3SVC<ID> <serverIP> GET /time.asp - 80 Domain\user <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 200 0 0

Scenario 2 - Negotiate protocol

In the scenario in which IIS is configured to support only the Negotiate protocol instead of both the Negotiate protocol and the NTLM protocol, the request and response flow is the same. The logging in the IIS log is also the same. The difference is in the initial response that IIS makes to the anonymous request from the browser. In this case, IIS sends only the Negotiate header:

HTTP: Response, HTTP/1.1,
Status Code = 401
ProtocolVersion: HTTP/1.1
StatusCode: 401, Unauthorized
Reason: Unauthorized
ContentLength: 1656
ContentType: text/html
Server: Microsoft-IIS/6.0
WWWAuthenticate: Negotiate

NLTM authentication

The following is a scenario-based example in which IIS is configured to support only the NTLM protocol. In IIS 6.0 and in earlier versions, this is done by having the NTAuthenticationProviders metabase key set to "NTLM". In IIS 7.0 and in later versions, only the NTLM protocol must be listed as a provider in the <windowsAuthentication> section.

Again, Internet Explorer does not include any authentication information in the first request on a new connection:

HTTP: Request, GET /
Command: GET ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.kerberos.com
Connection: Keep-Alive

If the IIS server is not configured to support Anonymous authentication, the server returns a 401.2 status that tells the client that the client is unauthorized. Together with the error status, the server also sends a list of authentication protocols that the server supports. The response headers that IIS returns in this NTLM-only scenario resemble the following:

HTTP: Response, HTTP/1.1, Status Code = 401
ProtocolVersion: HTTP/1.1
StatusCode: 401, Unauthorized
Reason: Unauthorized
ContentLength: 1656
ContentType: text/html
Server: Microsoft-IIS/6.0
WWWAuthenticate: NTLM

IIS then writes an entry that resembles the following to the IIS log:

<Date> <Time> W3SVC<ID> <serverIP> GET / - 80 - <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 401 2 2148074254

When the client receives the server's notification that the server supports the NTLM protocol, the client re-sends the request. The client includes authentication information in an Authorization header:

HTTP: Request, GET /
Command: GET
URI: /
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.kerberos.com
Connection: Keep-Alive
Authorization: NTLM TlRMTVNTUAABAAAAB7IIoAcABwssAoAAAACAAIACAAAABWQU5XSU5YUFZBTkRBTkE=

As part of the NTLM handshake, the server acknowledges that the client has sent authentication information. However, the server needs the client to send more information. Therefore, the server returns another 401 response that resembles the following:

HTTP: Response, HTTP/1.1, Status Code = 401
ProtocolVersion: HTTP/1.1
StatusCode: 401, Unauthorized
Reason: Unauthorized
ContentLength: 1539
ContentType: text/html
Server: Microsoft-IIS/6.0
NTLMAuthorization: NTLM
TlRMTVNTUAACAAAADgAOADgAAAAFgomiRCfS+kdwvJ0MAAAAAAAAAAJYAlgBGAAAABQLODgAAAA9WAEEATgBEAEEATgBBAAIADgBWAEEATgBEAEEATgBBAAEAFgBXAEkATgBEAEss8AVwBTADIAMAAwADMABAAWAHYAYQBuAGQAYQBuAGEALgBjAG8AbQADAC4AVwBpAG4AZABvAHcAcwAyADAAMAAzAC4AdgBhAG4AZA

IIS then writes an entry in the IIS log that resembles the following:

<Date> <Time> W3SVC<ID> <serverIP> GET / - 80 - <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 401 1 0

The 401.1 status that IIS sends tells the client that the client must provide the remainder of the valid authentication information. The client receives this challenge. The client then sends one more request that resembles the following:

HTTP: Request, GET /
Command: GET
URI: /
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.kerberos.com
Connection: Keep-Alive
NTLMAuthorization: NTLM
TlRMTVNTUAADAAAAGAAYAHgAAAAYABgAkAAAAA4ADgBAAAAAGgAaAE4AAAAQABAAaAAAAAAAAACoAAAABYKIoFYAQQBOAEQAQQBOAEEAQQBkAG0AaQBuAGkAcwB0AwwHIAYQB0AG8AcgBWAEEATgBXAEkATgBYAFAAo53RVbJ/EucAAAAAAAAAAAAAAAAAAAAAcWyNNNlQLNMC3EVd+aoZCA9lkh8dVY/M

When the IIS server receives this request, the IIS server communicates with a domain controller to complete the authentication request. When the client's authentication request is confirmed, IIS sends a response that resembles the following:

HTTP: Response, HTTP/1.1, Status Code = 200
ProtocolVersion: HTTP/1.1
StatusCode: 200, Ok
Reason: OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ContentLength: 19
ContentType: text/html
Cache-control: private

Note The detailed steps of how NTLM authentication takes place is not included here. For more information about how NTLM authentication works, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/bb643328.aspx
After IIS sends this response, IIS writes the following associated entry to the IIS log:

<Date> <Time> W3SVC<ID> <serverIP> GET /time.asp - 80 Domain\User <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 200 0 0

REFERENCES

For more informationabout how IIS authenticates browser clients, click the following article number to view the article in the Microsoft Knowledge Base:
264921 How IIS authenticates browser clients
For more informationabout how to troubleshoot Kerberos-related issues in IIS, click the following article number to view the article in the Microsoft Knowledge Base:
326985 How to troubleshoot Kerberos-related issues in IIS
For more informationabout how to modify the AuthPersistence Metabase property to control authentication, click the following article number to view the article in the Microsoft Knowledge Base:
318863 How to modify the AuthPersistence Metabase property to control authentication
For more informationabout a slow performance problem that occurs when you use Integrated Windows authentication IIS 6.0, click the following article number to view the article in the Microsoft Knowledge Base:
917557 FIX: You may experience slow performance when you use Integrated Windows authentication together with the Kerberos authentication protocol in IIS 6.0
For more information about Microsoft NTLM, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/bb643328.aspx
For more information about Microsoft Kerberos, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/aa378747(VS.85).aspx
For more information about IIS Integrated Windows authentication, visit the following Microsoft Web site:
http://technet2.microsoft.com/WindowsServer/en/Library/80c79abb-348d-467a-92fe-825e696be3351033.mspx?mfr=true
For more information about the NTAuthenticationProviders metabase property in IIS 6.0, visit the following Microsoft Web site:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr=true
For more information about the <windowsAuthentication> configuration property in IIS 7.0, visit the following Web site:
http://www.iis.net/ConfigReference/system.webServer/security/authentication/windowsAuthentication

Properties

Article ID: 969060 - Last Review: July 6, 2012 - Revision: 3.0
APPLIES TO
  • Microsoft Internet Information Services 7.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services 5.1
  • Microsoft Internet Information Services 6.0
Keywords: 
kbexpertiseinter kbexpertiseadvanced kbhowto kbsurveynew KB969060

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com