Menu
Integrated Windows authentication enables users to log in with their Windows credentials, using Kerberos or NTLM. The client sends credentials in the Authorization header. Windows authentication is best suited for an intranet environment.
I have a Windows 2008 server that I'm working on, so my answer is not completely the same as what the OP has on a Windows 2003 server.
Here is what I did (recording this here so I can find it later).
I was having this same issue:
In my Web.config file, I had this section:
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
</system.web>
Under IIS, all of these seems to be solved under the Authentication icon.
Now go into the features of Authentication:
Enable Anonymous Authentication with the IUSR:
Enable Windows Authentication, then Right-Click to set the Providers.
NTLM needs to be FIRST!
Next, check that under Advanced Settings... the Extended Protection is Accept and Enable Kernel-mode authentication is CHECKED:
Once I did this, I went back to my web application, clicked the Browse link, and logged in without having to provide my credentials again.
I hope this proves beneficial to many of you, and I hope it is useful for me later as well.
Just for other people's benefit. If the error is a 401.1 Unauthorized and your error code matches 0xc000006d, then you're actually running into to a security "feature" that blocks requests to FQDN or custom host headers that don't match your local machine name:
Follow this support article to fix the issue:
https://webconnection.west-wind.com/docs/_4gi0ql5jb.htm (original, now defunct: http://support.microsoft.com/kb/896861)
From the support article, to ensure it doesn't get lost:
The work around is a registry hack that disables this policy explicitly.
To perform this configuration manually find this key in the registry on the server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsaand edit or add a new key:
DisableLoopbackCheck(DWORD)then sent the value to 1 to disable the loopback check (local authentication works), or to 0 (local authentication is not allowed).
Or more easily you can use Powershell:
New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name "DisableLoopbackCheck" -Value "1" -PropertyType dwordIt looks like recent builds of Windows 10 (1803 and later?) also require this configuration setting in order to authenticate locally.
This one took me awhile because everyone else's comments here failed to help me. I found this article and it fixed it!
I had a similar issue whereby I wanted to protect only a certain part of my website. Everything worked well except in IE. I have both Anonymous and Windows Authentication enabled. For Anonymous, the Identity is set to the Application Pool identity. The problem was with the Windows Authentication. After some digging around I fired up fiddler and found that it was using Kerberos as the provider (actually it is set to Negotiate by default). I switched it to NTLM and that fixed it. HTH
Daudi
Add permission [Domain Users] to your web security.
Don't create mistakes on your server by changing everything. If you have windows prompt to logon when using Windows Authentication on 2008 R2, just go to Providers and move UP NTLM for each your application.
When Negotiate is first one in the list, Windows Authentication can stop to work property for specific application on 2008 R2 and you can be prompted to enter username and password than never work. That sometime happens when you made an update of your application. Just be sure than NTLM is first on the list and you will never see this problem again.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With