Kerberos authentication fails after upgrading from IIS 4.0 to IIS 5.0

This article has been archived. It is offered "as is" and will no longer be updated.
IMPORTANT: This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the "Configuration Backup/Restore" Help topic in Microsoft Management Console (MMC).
When you upgrade a computer that is running Windows NT Server 4.0 with Internet Information Server 4.0 installed to Windows 2000 with Internet Information Services 5.0, Kerberos authentication may fail. The Negotiate method may not be used by the Web server even though Windows Integrated authentication is selected.

When you do a network trace from a remote client computer by using Network Monitor, you will usually see the following in the WWW-Authenticate header sent to the client:
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
If you run the same network trace on a computer that has been upgraded from Windows NT 4.0 to Windows 2000, you may only see the NTLM WWW-Authenticate header sent to the client (Negotiate is not sent to the client). For example:
WWW-Authenticate: NTLM
In order to preserve the default authentication method that is used in Internet Information Server 4.0, the metabase setting for NTAuthenticationProviders was not changed. The default for this metabase key is "NTLM" in Internet Information Server 4.0; however, this has been changed in Internet Information Services 5.0 so that the new Negotiate method can use "Negotiate,NTLM."

If you do a clean installation of Windows 2000 (as opposed to an upgrade), the key will reflect the default in Internet Information Services 5.0 as "Negotiate,NTLM."
To resolve this problem, you must edit the metabase.

WARNING: If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.

NOTE: Always back up the metabase before you edit it.

To change the value of NTAuthenticationProviders, following these steps:
  1. Open a command prompt (Cmd.exe).
  2. Change the directory to c:\inetpub\adminscripts. Note that this path is the default path and may be different from yours if you changed the content area or installed to a different drive letter.
  3. To determine the value of NTAuthenticationProviders, type the following, and then press the ENTER key:
    cscript adsutil.vbs get w3svc/NTAuthenticationProviders
    The following output should return:
    NTAuthenticationProviders : (STRING) "NTLM"
  4. If the value of NTAuthenticationProviders is "NTLM," then type the following (exactly):
    cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM"
    Press the ENTER key. You should receive the following output:
    NTAuthenticationProviders : (STRING) "Negotiate,NTLM"
If you receive an error on the last step, make sure that you did not leave a space between Negotiate and NTLM. For example, "Negotiate,NTLM" differs from "Negotiate, NTLM."
Microsoft has confirmed that this is a problem in Microsoft Internet Information Services version 5.0.
For more information about how to use the Network Monitor utility on Windows 2000 Server-based computers, click the following article number to view the article in the Microsoft Knowledge Base:
812953 How to use Network Monitor to capture network traffic
iis 5 NTLM Negotiate Kerberos Upgrade

Article ID: 248350 - Last Review: 06/19/2014 06:37:00 - Revision: 4.0

  • kbnosurvey kbarchive kbbug kbpending KB248350