This step-by-step article describes how to configure Microsoft Internet Information Services (IIS) to
support both the Kerberos protocol and the NTLM protocol for network authentication.
IIS passes the Negotiate security header when Integrated Windows
authentication is used to authenticate client requests. The Negotiate security
header lets clients select between Kerberos authentication and NTLM authentication. The Negotiate process selects
Kerberos authentication unless one of the following conditions is true:
| • | One of the systems that is involved in the
authentication cannot use Kerberos authentication. |
| • | The calling application does not provide sufficient
information to use Kerberos authentication. |
To enable the Negotiate process to select the
Kerberos protocol for network authentication, the client application must provide a
service principal name (SPN), a user principal name (UPN), or a NetBIOS account
name as the target name. Otherwise, the Negotiate process always selects the NTLM protocol as the
preferred authentication method.
Back to the top
Set the Negotiate security header
Warning If you edit the metabase incorrectly, you can cause serious problems that may require that you reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.
Note Always back up the metabase before you edit it.
Note| • | By default, the NTAuthenticationProviders metabase property is not defined when you install IIS 6.0. IIS 6.0 uses the Negotiate, NTLM parameter when the NTAuthenticationProviders metabase property is not defined. Therefore, you do not have to configure IIS to use the Negotiate,NTLM property value unless the default value has been overwritten. |
| • | By default, the NTAuthenticationProviders metabase property is defined when you install IIS 5.1 and IIS 5.0. This metabase property uses the Negotiate, NTLM parameter. Therefore, you do not have to configure IIS to use the Negotiate,NTLM property value unless the default value has been overwritten. |
To make sure that IIS supports both the Kerberos protocol
and the NTLM protocol, you must confirm that the Negotiate security header is set in the
NTAuthenticationProviders metabase property. To do this, use the appropriate method for the version of IIS that you have.
Back to the top
IIS 6.0
| 1. | Click Start, click Run,
type cmd, and then press ENTER. |
| 2. | Locate the directory that contains the Adsutil.vbs file. By
default, this directory is C:\Inetpub\Adminscripts. |
| 3. | Use the following command to retrieve the current values
for the NTAuthenticationProviders metabase property: cscript adsutil.vbs get w3svc/WebSite/root/NTAuthenticationProviders In this command, WebSite is a placeholder for the Web site ID number. The Web site ID number of the default Web site is 1.
Warning Do not perform a copy-and-paste operation to paste the command from this article. This operation may cause issues with the property setting. To avoid these issues, type the whole command at a command prompt.
Note This command fails if the NTAuthenticationProviders metabase property is not defined. For more information, see the note earlier in this section.
If the Negotiate process is enabled, this command returns the following information: NTAuthenticationProviders : (STRING) "Negotiate,NTLM" |
| 4. | If the command in step 3 does not return the string "Negotiate,NTLM," use the
following command to enable the Negotiate process: cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "Negotiate,NTLM" |
| 5. | Repeat step 3 to verify that the Negotiate process has been
enabled. |
Note If you receive an error when you try to verify that the Negotiate process has been enabled, make sure that you did not leave a space between "Negotiate" and "NTLM." For example, "Negotiate,NTLM" differs from "Negotiate, NTLM."
Back to the top
IIS 5.1 or IIS 5.0
| 1. | Click Start, click Run,
type cmd, and then press ENTER. |
| 2. | Locate the directory that contains the Adsutil.vbs file. By
default, this directory is C:\Inetpub\Adminscripts. |
| 3. | Use the following command to retrieve the current values
for the NTAuthenticationProviders metabase property: cscript adsutil.vbs get w3svc/NTAuthenticationProviders Warning Do not perform a copy-and-paste operation to paste the command from this article. This operation may cause issues with the property setting. To avoid these issues, type the whole command at a command prompt.
Note This command fails if the NTAuthenticationProviders metabase property is not defined. For more information, see the note earlier in this section.
If the Negotiate process is enabled, this command returns the following information: NTAuthenticationProviders : (STRING) "Negotiate,NTLM" Note By default, the NTAuthenticationProviders metabase property is set to Negotiate,NTLM when you install IIS 5.1 or IIS 5.0. |
| 4. | If the command in step 3 does not return the string "Negotiate,NTLM," use the
following command to enable the Negotiate process: cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM" |
| 5. | Repeat step 3 to verify that the Negotiate process has been
enabled. |
Note If you receive an error when you try to verify that the Negotiate process has been enabled, make sure that you did not leave a space between "Negotiate" and "NTLM." For example, "Negotiate,NTLM" differs from "Negotiate, NTLM."
You can disable the Negotiate process to force IIS to use the NTLM
protocol for network authentication. This procedure prevents IIS from using the Kerberos protocol. To disable the Negotiate process,
use the following command.
Note In this command, "NTLM" must be uppercase to avoid any
adverse effects.
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
Note To
verify that the change has been made successfully, always repeat step 3 when you change this metabase value.
Back to the top
Help and Support
