Kerberos authentication fails after upgrading from IIS 4.0 to IIS 5.0

Article ID: 248350 - View products that this article applies to.
This article was previously published under Q248350
IMPORTANT: This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the "Configuration Backup/Restore" Help topic in Microsoft Management Console (MMC).
Expand all | Collapse all

SYMPTOMS

When you upgrade a computer that is running Windows NT Server 4.0 with Internet Information Server 4.0 installed to Windows 2000 with Internet Information Services 5.0, Kerberos authentication may fail. The Negotiate method may not be used by the Web server even though Windows Integrated authentication is selected.

When you do a network trace from a remote client computer by using Network Monitor, you will usually see the following in the WWW-Authenticate header sent to the client:
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
If you run the same network trace on a computer that has been upgraded from Windows NT 4.0 to Windows 2000, you may only see the NTLM WWW-Authenticate header sent to the client (Negotiate is not sent to the client). For example:
WWW-Authenticate: NTLM
Back to the top | Give Feedback

CAUSE

In order to preserve the default authentication method that is used in Internet Information Server 4.0, the metabase setting for NTAuthenticationProviders was not changed. The default for this metabase key is "NTLM" in Internet Information Server 4.0; however, this has been changed in Internet Information Services 5.0 so that the new Negotiate method can use "Negotiate,NTLM."

If you do a clean installation of Windows 2000 (as opposed to an upgrade), the key will reflect the default in Internet Information Services 5.0 as "Negotiate,NTLM."
Back to the top | Give Feedback

RESOLUTION

To resolve this problem, you must edit the metabase.

WARNING: If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.

NOTE: Always back up the metabase before you edit it.

To change the value of NTAuthenticationProviders, following these steps:
  1. Open a command prompt (Cmd.exe).
  2. Change the directory to c:\inetpub\adminscripts. Note that this path is the default path and may be different from yours if you changed the content area or installed to a different drive letter.
  3. To determine the value of NTAuthenticationProviders, type the following, and then press the ENTER key:
    cscript adsutil.vbs get w3svc/NTAuthenticationProviders
    The following output should return:
    NTAuthenticationProviders : (STRING) "NTLM"
  4. If the value of NTAuthenticationProviders is "NTLM," then type the following (exactly):
    cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM"
    Press the ENTER key. You should receive the following output:
    NTAuthenticationProviders : (STRING) "Negotiate,NTLM"
If you receive an error on the last step, make sure that you did not leave a space between Negotiate and NTLM. For example, "Negotiate,NTLM" differs from "Negotiate, NTLM."
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in Microsoft Internet Information Services version 5.0.
Back to the top | Give Feedback

REFERENCES

For more information about how to use the Network Monitor utility on Windows 2000 Server-based computers, click the following article number to view the article in the Microsoft Knowledge Base:
812953
(http://support.microsoft.com/kb/812953/ )
How to use Network Monitor to capture network traffic
Back to the top | Give Feedback

Properties

Article ID: 248350 - Last Review: November 21, 2006 - Revision: 2.1
APPLIES TO
  • Microsoft Internet Information Services 5.0
Keywords: 
kbbug kbpending KB248350
Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top