Help and Support
 

powered byLive Search

Unable to negotiate Kerberos authentication after upgrading to Internet Explorer 6

View products that this article applies to.
Article ID:299838
Last Review:September 15, 2006
Revision:4.2
This article was previously published under Q299838

SYMPTOMS

After you upgrade to Internet Explorer 6 or Internet Explorer 6 Service Pack 1 (SP1), Internet Explorer cannot negotiate Kerberos authentication with a Web server that supports Kerberos (for example, Microsoft Internet Information Services version 5.0).

Back to the top

CAUSE

This issue can occur because Internet Explorer 6 or later for Windows 2000 does not respond to a negotiate challenge and defaults to NTLM, or Windows NT Challenge/Response, authentication by default.

Back to the top

RESOLUTION

To resolve this issue, enable Internet Explorer 6 to respond to a negotiate challenge and perform Kerberos authentication:
1.In Internet Explorer, click Internet Options on the Tools menu.
2.Click the Advanced tab, click to select the Enable Integrated Windows Authentication (requires restart) check box in the Security section, and then click OK.
3.Restart Internet Explorer.
Administrators can enable Integrated Windows Authentication by setting the EnableNegotiate DWORD value to 1 in the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Note Internet Explorer 6, when used with Microsoft Windows 98, Microsoft Windows 98 Second Edition, Microsoft Windows Millennium Edition, and Microsoft Windows NT 4.0 does not respond to a negotiate challenge and default to NTLM (or Windows NT Challenge/Response) authentication even if the Enable Integrated Windows Authentication (requires restart) check box is selected because Kerberos authentication is not available on these operating systems.

Back to the top

STATUS

This behavior is by design.

Back to the top

MORE INFORMATION

The Enable Integrated Windows Authentication (requires restart) check box is selected by default in Internet Explorer 6 for Windows XP and Windows Server 2003, so the information in this article only applies to Internet Explorer 6 or later for Windows 2000. Note that the Kerberos authentication protocol is still the default protocol for other forms of network authentication on Windows 2000-based computers with Internet Explorer versions 6 or later.

Neither Internet Explorer versions 5.x or 6 and later support Kerberos authentication with a proxy server, even if Integrated Windows Authentication is enabled. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
321728 (http://support.microsoft.com/kb/321728/) Internet Explorer does not support Kerberos authentication with proxy servers
For more information about Integrated Windows Authentication with Internet Information Services 5.0, click the following article numbers to view the articles in the Microsoft Knowledge Base:
215383 (http://support.microsoft.com/kb/215383/) How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication
294382 (http://support.microsoft.com/kb/294382/) Authentication may fail with "401.3" Error if Web site's "Host Header" differs from server's NetBIOS name

Back to the top

APPLIES TO
Microsoft Internet Explorer 6.0, when used with:
  Microsoft Windows 2000 Standard Edition

Back to the top

Keywords: 
kbinterop kbnetwork kbprb KB299838

Back to the top

Article Translations

 

Related Support Centers

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.