You are currently offline, waiting for your internet to reconnect

You cannot configure the Negotiate or NTLM protocols for Windows Integrated Authentication in the IIS Manager for Internet Information Services (IIS) 7.0

Source: Microsoft Support
RAPID PUBLISHING
RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.
Symptom


When using the IIS Manager to configure an Internet Information Services (IIS) 7.0 server to use Windows Integrated Authentication, you cannot choose between the Negotiate and NTLM protocols.
Cause


The ability to choose between the Negotiate and the NTLM protocols is not exposed through the IIS Manager’s graphical user interface.
Resolution


To resolve this problem, follow the steps in the More Information section.
More Information


IIS passes the Negotiate security header when Integrated Windows authentication is used to authenticate client requests. The Negotiate security header lets clients select between Kerberos authentication and NTLM authentication. The Negotiate process selects Kerberos authentication unless one of the following conditions is true:    

 

• One of the systems that is involved in the authentication cannot use Kerberos authentication.  

• The calling application does not provide sufficient information to use Kerberos authentication.   

 

To enable the Negotiate process to select the Kerberos protocol for network authentication, the client application must provide a service principal name (SPN), a user principal name (UPN), or a NetBIOS account name as the target name. Otherwise, the Negotiate process always selects the NTLM protocol as the preferred authentication method. 

 

 To make sure that IIS supports both the Kerberos protocol and the NTLM protocol, you must confirm that the Negotiate authentication provider is set in the <providers> collection of the security/authentication/windowsAuthentication section of the applicationHost.config file.  There are two ways to do this: 

 

1) If the IIS 6 Management Compatibility component is installed on the IIS 7.0 server, use the following command to set the providers to both Negotiate and NTLM: 


cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM" 




2) If the IIS 6 Management Compatibility component is not installed on the IIS server, use the following commands to set both providers: 

appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /+"providers.[value='Negotiate']" /commit:apphost 

 

appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /+"providers.[value='NTLM']" /commit:apphost





For more information on how to use the appcmd.exe tool, see the following document:

 

Getting Started with AppCmd.exe

http://learn.iis.net/page.aspx/114/getting-started-with-appcmdexe/
DISCLAIMER
MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.
Properties

Article ID: 968867 - Last Review: 03/10/2009 22:32:39 - Revision: 1.0

Microsoft Internet Information Services 7.0

  • kbrapidpub kbnomt KB968867
Feedback