Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Authentication may fail with "401.3" Error if Web site's "Host Header" differs from server's NetBIOS name
Article ID: 294382 - View products that this article applies to.
This article was previously published under Q294382
When you are using Internet Explorer on a Windows 2000 or later client and browsing to a Web site where the host header name is different from the NetBIOS name of the computer, Integrated Authentication may fail with an HTTP error 401.1, error 401.2, or error 401.3.
Note Internet Explorer clients that are using Windows NT 4 or Windows 95 or Windows 98 will not fail. Also, other authentication schemes will work.
Microsoft ASP.NET users may see an error message that is similar to the following:
Server Error in '<application name>' Application.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Description: An unhandled exception occurred during the execution of the current web request.
Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
During Kerberos authentication, a domain controller that is running Windows 2000 or Windows Server 2003 grants tickets based on the Server Principle Name (SPN) of the Internet Information Services (IIS) Web server. If the host header (Web site name) being requested differs from the NetBIOS name of the IIS 5.0 computer, Kerberos authentication will fail, causing 401.3 errors on the client.
Clients using Windows NT 4 or Windows 95 or Windows 98 succeed because they do not natively support Kerberos and thus use Windows NT Challenge/Response (NTLM) authentication.
A fresh install of Internet Information Services 5.0 with Integrated Authentication enabled will attempt to authenticate clients with Kerberos first. If a client does not support Kerberos, IIS will send that client an "Authenticate: NTLM" header, forcing it to authenticate using Windows NT Challenge/Response.
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/217098/ )Basic overview of Kerberos authentication in Windows 2000
(http://support.microsoft.com/kb/266080/ )Answers to frequently asked Kerberos questions
(http://support.microsoft.com/kb/215383/ )How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication
(http://support.microsoft.com/kb/248350/ )Kerberos authentication fails after upgrading from IIS 4.0 to IIS 5.0