An unexpected 401.1 status is returned when using Pre-Authentication Headers with Internet Explorer and Internet Information Services

Article ID: 2749007 - View products that this article applies to.
Expand all | Collapse all

Symptoms

Consider the following scenario. You use Windows Internet Explorer to browse to a web application hosted on Microsoft Internet Information Services (IIS) 7.0 or higher. The Internet Explorer browser is configured to use Pre-Authentication, and Kernel Mode Authentication is enabled in IIS. Additionally, this web request being sent by Internet Explorer is the first request to be sent to the IIS application. In this scenario, IIS may return an HTTP 401.1 response to Internet Explorer in response to the browser's request. The web browser may prompt you to enter your username and password, or the HTTP 401.1 error message may be displayed in the browser window.


Back to the top | Give Feedback

Cause

This behavior is by design. The 401.1 response will occur if the web browser's first request sent to the IIS application contains an NTLM or Negotiate WWW-Authorization header (known as Pre-Authentication).

Note There are many reasons a user may be prompted for credentials in Internet Explorer which are outside the scope of this article. Please see the More Information section below to learn how to determine if the cause of the prompt is from the issue described here.


Back to the top | Give Feedback

Workaround

To work around this behavior, disable Pre-Authentication in Internet Explorer, or turn off Kernel Mode Authentication for the IIS Web application.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To modify this behavior in Internet Explorer, use Registry Editor (Regedt32.exe) to add a value to the following registry key:

HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/

Note The above registry key is one path; it has been wrapped for readability.

Add the following registry value:

Value Name: DisableNTLMPreAuth
Data Type: REG_DWORD
Value: 1


To modify this behavior in IIS, disable Kernel Mode Authentication for the IIS web application.

  1. Open Internet Information Services (IIS) Manager:
    • From an administrative command prompt run the following command:

      "%windir%\System32\inetsrv\inetmgr.exe"
  2. In the Connections pane, expand the server name, expand Sites, and then the site, application, or Web service for which you want to disable Kernel Mode Authentication. 
  3. Scroll to the Security section in the Home pane, and then double-click Authentication.
  4. In the Authentication pane, select Windows Authentication.
  5. Click Advanced Settings in the Actions pane.
  6. When the Advanced Settings dialog box appears, uncheck the Enable Kernel-mode authentication checkbox
  7. Click OK to close the Advanced Settings dialog box.

IMPORTANT:  Disabling Kernel Mode Authentication may cause web applications that require Kerberos authentication and delegation to fail.


Back to the top | Give Feedback

More information

To determine if the prompt is caused by the issue described in this article, use the Fiddler tool to look at the HTTP request/response traffic for the request resulting in the prompt in Internet Explorer. You will also need the IIS logs from the IIS Server to confirm the HTTP status and sub-status codes. The below example uses Internet Explorer 9 to illustrate this behavior:

  1. Start the Fiddler Tool and enable traffic capture
  2. Browse to the IIS web application such that it will result in the prompt for credentials
  3. In Fiddler, look for the request that resulted in the 401. Looking at the Raw Request and Response views you will see entries similar to the following:

    Request Headers:
    GET /App1/default.aspx HTTP/1.1
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: websitename
Cookie: ASP.NET_SessionId=jdzbfpnmacq0jykhxnhqhe3j
Authorization: Negotiate 
<header content omitted>
    Response Headers
    HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 22 Aug 2012 17:41:09 GMT
Content-Length: 1293
Proxy-Support: Session-Based-Authentication


Notice that the initial request to the web application already contains the Authorization header, which then results in the 401 response. The corresponding IIS log should show an entry similar to the following:


2012-08-22 17:41:09 2001:4898:0:fff:200:5efe:157.59.113.72 GET /App1/default.aspx - 80 - 2001:4898:0:fff:0:
5efe:172.18.100.183 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+
2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E;+InfoPath.3;+MS-
RTC+EA+2;+BRI/1;+Zune+4.7;+MS-RTC+LM+8;+BRI/2;+Creative+AutoUpdate+v1.41.02) 401 1 2148074254 5005

The HTTP status and sub status is 401.1, which maps to Access Denied due to Invalid credentials.


For more information, please see the following documentation: 

Windows Authentication
http://www.iis.net/ConfigReference/system.webServer/security/authentication/windowsAuthentication
(http://www.iis.net/ConfigReference/system.webServer/security/authentication/windowsAuthentication)


How IIS authenticates browser clients
http://support.microsoft.com/kb/264921
(http://support.microsoft.com/kb/264921)


Internet Explorer May Prompt Your for a Password
http://support.microsoft.com/kb/258063
(http://support.microsoft.com/kb/258063)


IIS Application configuration reference
http://www.iis.net/configreference/system.applicationhost/sites/site/application
(http://www.iis.net/configreference/system.applicationhost/sites/site/application)



Back to the top | Give Feedback
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use
(http://go.microsoft.com/fwlink/?LinkId=151500)
for other considerations.
Back to the top | Give Feedback

Properties

Article ID: 2749007 - Last Review: November 16, 2012 - Revision: 5.0
Applies to
  • Microsoft Internet Information Services 8.0
  • Microsoft Internet Information Services 7.5
  • Microsoft Internet Information Services 7.0
  • Internet Explorer 10
  • Windows Internet Explorer 9
  • Windows Internet Explorer 8
  • Windows Internet Explorer 7
Keywords: 
KB2749007
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top