Authentication fails when you visit a website in Internet Explorer 11 through a proxy server

Work anywhere from any device with Microsoft 365

Upgrade to Microsoft 365 to work anywhere with the latest features and updates.

Upgrade now

Symptoms

Assume that you have access to a web server that requires Kerberos authentication. When you try to access the web server in Internet Explorer 11 through a proxy server, the authentication fails, and you cannot access the website.

Cause

This issue occurs when the web server is accessed through a CNAME. This is defined in DNS for the server. In addition, the web server uses the Service Principal Name (SPN) of an A record in order to process the Kerberos authentication. When Internet Explorer accesses the web server through a proxy server, it tries to request the Kerberos ticket based on the CNAME of the web server, instead of the A record. As this SPN was not registered in Kerberos protocol, the ticket cannot be obtained, and the authentication fails.  

Update information

To resolve this issue, install the most recent cumulative security update for Internet Explorer. To do this, go to Microsoft Update. Additionally, see the technical information about the most recent cumulative security update for Internet Explorer.

Note This update was first included in the July 2015 security update for Internet Explorer (MS15-065).

Registry information

After you apply this update, you must change the registry. To do this, follow these steps:

Important Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restorationin case problems occur.

For 32-bit (x86-based) computers

  1. In Registry Editor, locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl

  2. Right-click FeatureControl, point to New, and then click Key.

  3. Type FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771, and then press Enter to name the new subkey.

  4. Right-click FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771, point to New, and then click DWORD Value.

  5. Type *, and then press Enter to name the new entry.

  6. Right-click *, and then click Modify.

  7. In the Value data box, type 00000001, and then click OK.

  8. Exit Registry Editor.

For 64-bit (x64-based) computers

  1. In Registry Editor, locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl

  2. Right-click FeatureControl, point to New, and then click Key.

  3. Type FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771, and then press Enter to name the new subkey.

  4. Right-click FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771, point to New, and then click DWORD Value.

  5. Type *, and then press Enter to name the new entry.

  6. Right-click *, and then click Modify.

  7. In the Value data box, type 00000001, and then click OK.

  8. Expand the following subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl

  9. Right-click FeatureControl, point to New, and then click Key.

  10. Type FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771, and then press Enter to name the new subkey.

  11. Right-click FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771, point to New, and then click DWORD Value.

  12. Type *, and then press Enter to name the new entry.

  13. Right-click *, and then click Modify.

  14. In the Value data box, type 00000001, and then click OK.

  15. Exit Registry Editor.


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

See the terminology that Microsoft uses to describe software updates.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×