Article ID: 2749007 - View products that this article applies to.
Consider the following scenario. You use Windows Internet Explorer to browse to a web application hosted on Microsoft Internet Information Services (IIS) 7.0 or higher. The Internet Explorer browser is configured to use Pre-Authentication, and Kernel Mode Authentication is enabled in IIS. Additionally, this web request being sent by Internet Explorer is the first request to be sent to the IIS application. In this scenario, IIS may return an HTTP 401.1 response to Internet Explorer in response to the browser's request. The web browser may prompt you to enter your username and password, or the HTTP 401.1 error message may be displayed in the browser window.
This behavior is by design. The 401.1 response will occur if the web browser's first request sent to the IIS application contains an NTLM or Negotiate WWW-Authorization header (known as Pre-Authentication).
Note There are many reasons a user may be prompted for credentials in Internet Explorer which are outside the scope of this article. Please see the More Information section below to learn how to determine if the cause of the prompt is from the issue described here.
To work around this behavior, disable Pre-Authentication in Internet Explorer, or turn off Kernel Mode Authentication for the IIS Web application.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To modify this behavior in Internet Explorer, use Registry Editor (Regedt32.exe) to add a value to the following registry key:
Note The above registry key is one path; it has been wrapped for readability.
Add the following registry value:
Value Name: DisableNTLMPreAuth
Data Type: REG_DWORD
To modify this behavior in IIS, disable Kernel Mode Authentication for the IIS web application.
IMPORTANT: Disabling Kernel Mode Authentication may cause web applications that require Kerberos authentication and delegation to fail.
To determine if the prompt is caused by the issue described in this article, use the Fiddler tool to look at the HTTP request/response traffic for the request resulting in the prompt in Internet Explorer. You will also need the IIS logs from the IIS Server to confirm the HTTP status and sub-status codes. The below example uses Internet Explorer 9 to illustrate this behavior:
Notice that the initial request to the web application already contains the Authorization header, which then results in the 401 response. The corresponding IIS log should show an entry similar to the following:
The HTTP status and sub status is 401.1, which maps to Access Denied due to Invalid credentials.
For more information, please see the following documentation:
How IIS authenticates browser clients
Internet Explorer May Prompt Your for a Password
IIS Application configuration reference
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.
Article ID: 2749007 - Last Review: November 16, 2012 - Revision: 5.0