IIS 5 & IIS 6
Authentication Fails when "Enable Integrated Windows Authentication"...
Last post Jun 26, 2009 12:11 PM by maltesehamster
Jun 25, 2009 12:47 PM|maltesehamster|LINK
I have two applications running on a Windows 2003 server. Each runs under a separate application pool, and each application pool runs under a separate domain account.
When users connect to the application, having "Enable Integrated Windows Authentication" turned on in Internet Explorer, they are not able to authenticate. However, if they turn the setting off, they are able to connect no problem.
IIS is configured with a NTAuthenticationProviders of NTLM.
Is there a way to allow users to authenticate regardless of whether they have the "Enable Integrated Windows Authentication" setting turned on or off in IE, yet still have the applications run under separate application pools with separate domain accounts?
Jun 25, 2009 01:22 PM|tomkmvp|LINK
they are not able to authenticate
What does this mean? What http status code is returned? 401.1? 401.3? ...?
Jun 25, 2009 01:28 PM|maltesehamster|LINK
It's a 401.1. I should add that they are logging into the application using domain accounts other than those they use to log into their personal computers, if that makes any difference.
Jun 25, 2009 01:47 PM|tomkmvp|LINK
It just might - that error means it's unable to authenticate those credentials, maybe because IIS can't contact the other domain. Which domain is the server in? Are the users also specifying their domain?
Jun 25, 2009 02:02 PM|maltesehamster|LINK
The application is installed in IIS on a server in domain A.
The users' personal computers are in domain B, and they log into their computers using domain B accounts.
However, when the users access the application, they log in using domain A accounts when prompted, and yes, they specify domain A when logging in.
The only way they are able to log in successfully is if they turn "Enable Integrated Windows Authentication" off in Internet Explorer.
Jun 25, 2009 02:10 PM|tomkmvp|LINK
FWIW, IWA works best when everything is in the same domain (or at least the user's locally logged on credentials are what's used) and IE is configured to pass the credentials in the background without user intervention.
Is there a specific reason you're using Windows Integrated? Does Basic work?
Jun 25, 2009 02:22 PM|maltesehamster|LINK
The user's locally logged on credentials will be used eventually - which is why we're using IWA - at some point, they will be using their own local accounts to log in (ideally they will not get prompted for credentials).
Right now though, the application is in an isolated testing environment that is in a different domain. Testing accounts have been created in that domain for the users to use to access the application during testing. Unfortunately these are the restrictions
I must work beneath :)
Do you think that once we complete testing and move the application out of the testing domain, so that the users can use their own accounts to log in, everything will work regardless of that IE setting mentioned above?
Thanks for all your help.
Jun 25, 2009 02:35 PM|tomkmvp|LINK
Given everything you've posted, I see no reason why it would not work when everything is in the same domain.
Jun 26, 2009 12:11 PM|maltesehamster|LINK
Just wanted to let you (and other interested parties) know that forcing IIS to use NTLM authentication solved the problem. However, I had initially tried a method of doing this which was the incorrect method:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
Apparently, this method didn't impact the part of IIS affecting my problem. I had to follow this method instead:
IIS Manager, right-click the local computer, and then click Properties.
Select the Enable Direct Metabase Edit check box, and then click OK.
Click Start, click Run, type cmd, and then click OK.
At the command prompt, type the following command to change to the directory where the MetaBase.xml file is located:
To open the file with Notepad, at the command prompt, type the following:
In the <IISWebServer> section, locate the NTAuthenticationProviders metabase property and modify its setting to read "NTLM".
Save and close the MetaBase.xml file.