Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Kerberos authentication fails after upgrading from IIS 4.0 to IIS 5.0
Article ID: 248350 - View products that this article applies to.
This article was previously published under Q248350
IMPORTANT: This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the "Configuration Backup/Restore" Help topic in Microsoft Management Console (MMC).
When you upgrade a computer that is running Windows NT Server 4.0 with Internet Information Server 4.0 installed to Windows 2000 with Internet Information Services 5.0, Kerberos authentication may fail. The Negotiate method may not be used by the Web server even though Windows Integrated authentication is selected.
When you do a network trace from a remote client computer by using Network Monitor, you will usually see the following in the WWW-Authenticate header sent to the client:
WWW-Authenticate: NegotiateIf you run the same network trace on a computer that has been upgraded from Windows NT 4.0 to Windows 2000, you may only see the NTLM WWW-Authenticate header sent to the client (Negotiate is not sent to the client). For example:
In order to preserve the default authentication method that is used in Internet Information Server 4.0, the metabase setting for NTAuthenticationProviders was not changed. The default for this metabase key is "NTLM" in Internet Information Server 4.0; however, this has been changed in Internet Information Services 5.0 so that the new Negotiate method can use "Negotiate,NTLM."
If you do a clean installation of Windows 2000 (as opposed to an upgrade), the key will reflect the default in Internet Information Services 5.0 as "Negotiate,NTLM."
To resolve this problem, you must edit the metabase.
WARNING: If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.
NOTE: Always back up the metabase before you edit it.
To change the value of NTAuthenticationProviders, following these steps:
Microsoft has confirmed that this is a problem in Microsoft Internet Information Services version 5.0.
For more information about how to use the Network Monitor utility on Windows 2000 Server-based computers, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/812953/ )How to use Network Monitor to capture network traffic
Article ID: 248350 - Last Review: November 21, 2006 - Revision: 2.1