How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication (215383)
The information in this article applies to:
- Microsoft Internet Information Services 6.0
- Microsoft Internet Information Services version 5.1
- Microsoft Internet Information Services 5.0
This article was previously published under Q215383 Important This article contains information about editing the metabase.
Before you edit the metabase, verify that you have a backup copy that you can
restore if a problem occurs. For information about how to do this, see the
"Configuration Backup/Restore" Help topic in Microsoft Management Console
(MMC).
SUMMARYThis step-by-step article describes how to configure Microsoft Internet Information Services (IIS) to
support both the Kerberos protocol and the NTLM protocol for network authentication. IIS passes the Negotiate security header when Integrated Windows
authentication is used to authenticate client requests. The Negotiate security
header lets clients select between Kerberos authentication and NTLM authentication. The Negotiate process selects
Kerberos authentication unless one of the following conditions is true: - One of the systems that is involved in the
authentication cannot use Kerberos authentication.
- The calling application does not provide sufficient
information to use Kerberos authentication.
To enable the Negotiate process to select the
Kerberos protocol for network authentication, the client application must provide a
service principal name (SPN), a user principal name (UPN), or a NetBIOS account
name as the target name. Otherwise, the Negotiate process always selects the NTLM protocol as the
preferred authentication method. Set the Negotiate security headerWarning If you edit the metabase incorrectly, you can cause serious
problems that may require you to reinstall any product that uses the metabase.
Microsoft cannot guarantee that problems that result if you incorrectly edit
the metabase can be solved. Edit the metabase at your own risk. Note Always back up the metabase before you edit it.
Note- By default, the NTAuthenticationProviders metabase property is not defined when you install IIS 6.0. IIS 6.0 uses the Negotiate, NTLM parameter when the NTAuthenticationProviders metabase property is not defined. Therefore, you do not have to configure IIS to use the Negotiate,NTLM property value unless the default value has been overwritten.
- By default, the NTAuthenticationProviders metabase property is defined when you install IIS 5.1 and IIS 5.0. This metabase property uses the Negotiate, NTLM parameter. Therefore, you do not have to configure IIS to use the Negotiate,NTLM property value unless the default value has been overwritten.
To make sure that IIS supports both the Kerberos protocol
and the NTLM protocol, you must confirm that the Negotiate security header is set in the
NTAuthenticationProviders metabase property. To do this, use the appropriate method for the version of IIS that you have. IIS 6.0- Click Start, click Run,
type cmd, and then press ENTER.
- Locate the directory that contains the Adsutil.vbs file. By
default, this directory is C:\Inetpub\Adminscripts.
- Use the following command to retrieve the current values
for the NTAuthenticationProviders metabase property:
cscript adsutil.vbs get w3svc/WebSite/root/NTAuthenticationProviders
Warning Do not perform a copy-and-paste operation to paste the command from this article. This operation may cause issues with the property setting. To avoid these issues, type the whole command at a command prompt.
Note This command fails if the NTAuthenticationProviders metabase property is not defined. For more information, see the note earlier in this section.
If the Negotiate process is enabled, this command returns the following information: NTAuthenticationProviders : (STRING) "Negotiate,NTLM" - If the command in step 3 does not return the string "Negotiate,NTLM," use the
following command to enable the Negotiate process:
cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "Negotiate,NTLM" - Repeat step 3 to verify that the Negotiate process has been
enabled.
IIS 5.1 or IIS 5.0- Click Start, click Run,
type cmd, and then press ENTER.
- Locate the directory that contains the Adsutil.vbs file. By
default, this directory is C:\Inetpub\Adminscripts.
- Use the following command to retrieve the current values
for the NTAuthenticationProviders metabase property:
cscript adsutil.vbs get w3svc/NTAuthenticationProviders
Note This command fails if the NTAuthenticationProviders metabase property is not defined. For more information, see the note earlier in this section.
If the Negotiate process is enabled, this command returns the following information: NTAuthenticationProviders : (STRING) "Negotiate,NTLM" Note By default, the NTAuthenticationProviders metabase property is set to Negotiate,NTLM when you install IIS 5.1 or IIS 5.0. - If the command in step 3 does not return the string "Negotiate,NTLM," use the
following command to enable the Negotiate process:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM" - Repeat step 3 to verify that the Negotiate process has been
enabled.
You can disable the Negotiate process to force IIS to use the NTLM
protocol for network authentication. This procedure prevents IIS from using the Kerberos protocol. To disable the Negotiate process,
use the following command. Note In this command, "NTLM" must be uppercase to avoid any
adverse effects. cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM" To
verify that the change has been made successfully, always repeat step 3 when you change this metabase value.
| Modification Type: | Major | Last Reviewed: | 4/26/2006 |
|---|
| Keywords: | kbHOWTOmaster kbhowto KB215383 kbAudDeveloper |
|---|
|