FIX: "HTTP error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message if the Basic authentication Default Domain property is set to a backward slash character (\) in IIS

Article translations Article translations
Article ID: 827991 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

When you use Basic authentication to connect to a Web site that is hosted by Internet Information Services (IIS), you may be prompted multiple times for a user name and a password. After you enter the correct user credentials, you may receive the following error message:
You are not authorized to view this page
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.

CAUSE

This problem may occur if the Default Domain property for Basic authentication is set to a backward slash character (\). In earlier versions of IIS, you could set the Default Domain property to a backward slash character (\) to allow the Web server to validate the logon credentials of a user against all trusting domains. However when you set the Default Domain property to a backward slash character (\) on a computer that is running Windows Server 2003, IIS will no longer allow the search for user credentials in all trusted domains.

RESOLUTION

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date         Time   Version       Size     File name
----------------------------------------------------------  
                   
14-Jun-2004  18:02  6.0.3790.109  337,408  w3core.dll

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

Basic authentication requires that you enter a domain name together with a user name. Therefore, an administrator may want to set the Default Domain property for Basic authentication to the most common domain that is used. This allows users in that domain to type only a user name and a password. After this, the default domain is used. This behavior will still work in IIS 6.0.

However, if users can use more than one domain, you could configure earlier versions of IIS so that the Default Domain property contained a backward slash character (\). The backward slash character (\) indicated that IIS should search all trusted domains for that user name.

However, in IIS 6.0 that behavior has changed and using the backward slash character (\) no longer works in this way. Users must type the domain name together with the user name by using the following format:
<domain name>\username.
In Exchange Server 2003, Forms-based authentication automatically sets the default domain for Basic authentication on the Exchange virtual directory in Exchange System Manager to a backslash character (\). This restriction is designed to support user logons that use the UPN format. If you modify the default domain setting in IIS to anything other than the default domain setting of "\", Exchange System Manager resets the default domain setting to "\" on the server. This change requires users to enter the domain, the username, and the password to log on to Outlook Web Access. After you apply this hotfix, users only have to enter the username and the password to log on to Outlook Web Access when you use Forms-based authentication.

Properties

Article ID: 827991 - Last Review: December 3, 2007 - Revision: 2.10
APPLIES TO
  • Microsoft Internet Information Services 6.0
Keywords: 
kbautohotfix kbhotfixserver kbqfe kbprb kbinfo KB827991

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com