Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Remove NEGOTIATE from WindowsAuthentication in IIS

Tags:

iis-7

iis-7.5

windows-authentication

kerberos

I have a site running in IIS 7.5 that is accessed using a DNS alias different from the actual server name. In IE 8, integrated authentication is failing, but in Firefox and Chrome everything works fine. (IE presents a credential challenge a few times, then displays a 401.1 error page.)

I have figured out that this is due to IE using Kerberos (aka "Negotiate") over NTLM, and Kerberos requires registering a Service Principal Name (using SETSPN) so that the mismatch between the DNS name and the server name is properly handled.

My web site, however, doesn't need impersonation--it is enough to have delegation. So instead of messing with SetSPN, I would just like to remove "Negotiate" from the list of WindowsAuthentication methods in IIS.

I have searched for quite some time to find out how to do this in IIS. I have played with many appcmd commands--but I just can't find online examples, or figure out how by reading MSDN documentation or using appcmd /? to make appcmd commands apply only to a particular application within a site rather than to the entire web server. A few search-hours later over two days, and at least 3 dozen web pages visited, I am still coming up fruitless.

How in tarnation do I get this done--it seems like it should be so easy!

like image 712
ErikE Avatar asked Apr 25 '13 19:04

ErikE

1 Answers

Open the Configuration Editor in IIS. It comes with IIS 7.5, or you can download the IIS administration pack for IIS 7.0. Navigate to the scope you want to affect (server, site, or application) and then open the icon:

IIS Configuration Editor.

Change the Section to system.webServer/security/authentication/windowsAuthentication:

IIS Configuration Editor - Windows Authentication

Click on the providers item, and then click Edit Items on the right. Select the "Negotiate" item and click "Remove":

IIS Configuration Editor - Windows Authentication - providers

Close the dialog and click Apply in the Actions pane on the right.

Your problem is solved! No more Kerberos/negotiate!

Note: you can also click Generate Script in the actions pane to display the code that will make the change in either C#, javascript, or with appcmd from the command line.

For reference, here is the appcmd statement to do the job without using the Configuration Editor.

appcmd.exe set config "Virtual/path/to/application" -section:system.webServer/security/authentication/windowsAuthentication /-"providers.[value='Negotiate']" /commit:apphost
like image 112
ErikE Avatar answered Nov 28 '22 10:11

ErikE
Sign in to Comment

Related questions

Is it possible to install node.js in IIS7? [closed]
how to extract the text from a Microsoft.IIs.PowerShell.Framework.ConfigurationElement object
How to remove .NET assembly DLLs from server GAC
Can I host two separate web servers on a LAN to the outside world through 1 IP address?
Any way to access the IIS kernel cache from ASP.NET?
requestFiltering allowDoubleEscaping="True" for a single page?
How to debug Crashed Dump File?
Access is denied at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
Octopus Deploy - Deploy.ps1 script for setting up SSL bindings on IIS
Cannot find inetmgr in Windows Server 2008 R2 Standard
Deploying an ASP.NET MVC app to IIS7 and keeping a clean web.config
Attach DLL to ASP.NET Site
Supply a different endpoint address in the WSDL of a WCF web service
Method not allowed 405 when using IIS
ASP.NET MVC Form based Auth using AD works locally but fails on server(iis7)
Why is my ASP.NET MVC application trying to navigate to login.aspx?
IIS 7.5 Application Initialization (Warm-up) and HTTPS
Identify and disable weak cipher suites Windows server 2008 / IIS 7
Is it possible to do conditional URL rewrites dependent on user-agent in ASP.NET/IIS?
tracking NullReferenceExceptions in sitecore

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!