RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.
When using the IIS Manager to configure an Internet Information Services (IIS) 7.0 server to use Windows Integrated Authentication, you cannot choose between the Negotiate and NTLM protocols.
The ability to choose between the Negotiate and the NTLM protocols is not exposed through the IIS Manager’s graphical user interface.
To resolve this problem, follow the steps in the More Information section.
IIS passes the Negotiate security header when Integrated Windows authentication is used to authenticate client requests. The Negotiate security header lets clients select between Kerberos authentication and NTLM authentication. The Negotiate process selects Kerberos authentication unless one of the following conditions is true:
• One of the systems that is involved in the authentication cannot use Kerberos authentication.
• The calling application does not provide sufficient information to use Kerberos authentication.
To enable the Negotiate process to select the Kerberos protocol for network authentication, the client application must provide a service principal name (SPN), a user principal name (UPN), or a NetBIOS account name as the target name. Otherwise, the Negotiate process always selects the NTLM protocol as the preferred authentication method.
To make sure that IIS supports both the Kerberos protocol and the NTLM protocol, you must confirm that the Negotiate authentication provider is set in the <providers> collection of the security/authentication/windowsAuthentication section of the applicationHost.config file. There are two ways to do this:
1) If the IIS 6 Management Compatibility component is installed on the IIS 7.0 server, use the following command to set the providers to both Negotiate and NTLM:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM"
2) If the IIS 6 Management Compatibility component is not installed on the IIS server, use the following commands to set both providers:
appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /+"providers.[value='Negotiate']" /commit:apphost
appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /+"providers.[value='NTLM']" /commit:apphost
For more information on how to use the appcmd.exe tool, see the following document:
MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.