How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication

Article translations Article translations
Article ID: 215383 - View products that this article applies to.
This article was previously published under Q215383
Important This article contains information about how to edit the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the "Configuration Backup/Restore" Help topic in Microsoft Management Console (MMC).
Expand all | Collapse all

On This Page

SUMMARY

This step-by-step article describes how to configure Microsoft Internet Information Services (IIS) to support both the Kerberos protocol and the NTLM protocol for network authentication.

IIS passes the Negotiate security header when Integrated Windows authentication is used to authenticate client requests. The Negotiate security header lets clients select between Kerberos authentication and NTLM authentication. The Negotiate process selects Kerberos authentication unless one of the following conditions is true:
  • One of the systems that is involved in the authentication cannot use Kerberos authentication.
  • The calling application does not provide sufficient information to use Kerberos authentication.
To enable the Negotiate process to select the Kerberos protocol for network authentication, the client application must provide a service principal name (SPN), a user principal name (UPN), or a NetBIOS account name as the target name. Otherwise, the Negotiate process always selects the NTLM protocol as the preferred authentication method.

Set the Negotiate security header

Warning If you edit the metabase incorrectly, you can cause serious problems that may require that you reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.

Note Always back up the metabase before you edit it.

Note
  • By default, the NTAuthenticationProviders metabase property is not defined when you install IIS 6.0. IIS 6.0 uses the Negotiate, NTLM parameter when the NTAuthenticationProviders metabase property is not defined. Therefore, you do not have to configure IIS to use the Negotiate,NTLM property value unless the default value has been overwritten.
  • By default, the NTAuthenticationProviders metabase property is defined when you install IIS 5.1 and IIS 5.0. This metabase property uses the Negotiate, NTLM parameter. Therefore, you do not have to configure IIS to use the Negotiate,NTLM property value unless the default value has been overwritten.
To make sure that IIS supports both the Kerberos protocol and the NTLM protocol, you must confirm that the Negotiate security header is set in the NTAuthenticationProviders metabase property. To do this, use the appropriate method for the version of IIS that you have.

IIS 6.0

  1. Click Start, click Run, type cmd, and then press ENTER.
  2. Locate the directory that contains the Adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.
  3. Use the following command to retrieve the current values for the NTAuthenticationProviders metabase property:
    cscript adsutil.vbs get w3svc/WebSite/root/NTAuthenticationProviders
    In this command, WebSite is a placeholder for the Web site ID number. The Web site ID number of the default Web site is 1.

    Warning Do not perform a copy-and-paste operation to paste the command from this article. This operation may cause issues with the property setting. To avoid these issues, type the whole command at a command prompt.

    Note This command fails if the NTAuthenticationProviders metabase property is not defined. For more information, see the note earlier in this section.

    If the Negotiate process is enabled, this command returns the following information:
    NTAuthenticationProviders : (STRING) "Negotiate,NTLM"
  4. If the command in step 3 does not return the string "Negotiate,NTLM," use the following command to enable the Negotiate process:
    cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "Negotiate,NTLM"
  5. Repeat step 3 to verify that the Negotiate process has been enabled.
Note If you receive an error when you try to verify that the Negotiate process has been enabled, make sure that you did not leave a space between "Negotiate" and "NTLM." For example, "Negotiate,NTLM" differs from "Negotiate, NTLM."

IIS 5.1 or IIS 5.0

  1. Click Start, click Run, type cmd, and then press ENTER.
  2. Locate the directory that contains the Adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.
  3. Use the following command to retrieve the current values for the NTAuthenticationProviders metabase property:
    cscript adsutil.vbs get w3svc/NTAuthenticationProviders
    Warning Do not perform a copy-and-paste operation to paste the command from this article. This operation may cause issues with the property setting. To avoid these issues, type the whole command at a command prompt.

    Note This command fails if the NTAuthenticationProviders metabase property is not defined. For more information, see the note earlier in this section.

    If the Negotiate process is enabled, this command returns the following information:
    NTAuthenticationProviders : (STRING) "Negotiate,NTLM"
    Note By default, the NTAuthenticationProviders metabase property is set to Negotiate,NTLM when you install IIS 5.1 or IIS 5.0.
  4. If the command in step 3 does not return the string "Negotiate,NTLM," use the following command to enable the Negotiate process:
    cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM"
  5. Repeat step 3 to verify that the Negotiate process has been enabled.


Note If you receive an error when you try to verify that the Negotiate process has been enabled, make sure that you did not leave a space between "Negotiate" and "NTLM." For example, "Negotiate,NTLM" differs from "Negotiate, NTLM."

You can disable the Negotiate process to force IIS to use the NTLM protocol for network authentication. This procedure prevents IIS from using the Kerberos protocol. To disable the Negotiate process, use the following command.

Note In this command, "NTLM" must be uppercase to avoid any adverse effects.
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
Note To verify that the change has been made successfully, always repeat step 3 when you change this metabase value.

Properties

Article ID: 215383 - Last Review: January 19, 2007 - Revision: 7.1
APPLIES TO
  • Microsoft Internet Information Services 6.0
  • Microsoft Internet Information Services version 5.1
  • Microsoft Internet Information Services 5.0
Keywords: 
kbhowtomaster kbhowto KB215383

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com