- The IIS 6.0 Web site is part of an IIS application pool.
- The application pool is running under a local account or under a domain user account.
- The Web site is configured to use Integrated Windows authentication only.
To resolve this behavior when the application pool is running under a domain user account, set up an HTTP SPN with the NetBIOS name and the fully qualified domain name (FQDN) of the domain user account that the application pool is running under. To do this, follow these steps on a domain controller:
Important An SPN for a service can only be associated with one account. Therefore, if you use this suggested resolution, any other application pool that is running under a different domain user account cannot be used with Integrated Windows authentication only.
- Install the Setspn.exe tool. To obtain the Setspn.exe tool for Microsoft Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base: 970536 Setspn.exe support tool update for Windows Server 2003
- Start a command prompt, and then change to the directory where you installed Setspn.exe.
- At the command prompt, type the following commands. Press ENTER after each command:setspn.exe -S http/IIS_computer's_NetBIOS_name DomainName\UserNameNote UserName is the user account that the application pool is running under. Also note that if you are running the setspn.exe command on a Windows 2000 machine, use the -A switch instead of the -S switch.
setspn.exe -S http/IIS_computer's_FQDN DomainName\UserName
- Start a command prompt.
- Locate and then change to the directory that contains the Adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.
- Type the following command, and then press ENTER:cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
- To verify that the NtAuthenticationProviders metabase property is set to NTLM, type the following command, and then press ENTER:cscript adsutil.vbs get w3svc/NTAuthenticationProvidersThe following text should be returned:
NTAuthenticationProviders : (STRING) "NTLM"
Internet Information Services (IIS) 7.0The topics discussed in this article can also apply to IIS 7.0 if one of the following conditions is true:
- Kernel Mode Authentication is disabled.
- Kernel Mode Authentication is enabled, and the useAppPoolCredentials attribute is set to TRUE.
- 401.1 logon failed
- 401.3 ACL