By default the value of NTAuthenticationProviders is empty in IIS (on global level) and uses mixed authentication(Kerberous and Windows Integrated)
On some cases (this is inconsistent behavior as Microsoft claims in the article http://support.microsoft.com/kb/871179:
This behavior may occur if the following conditions are true:
- The IIS 6.0 Web site is part of an IIS application pool.
- The application pool is running under a local account or under a domain user account.
- The Web site is configured to use Integrated Windows authentication only.
In this scenario, when Integrated Windows authentication tries to use Kerberos, Kerberos authentication may not work. To use Kerberos authentication, a service must register its service principal name (SPN) under the account in the Active Directory directory service that the service is running under. By default, Active Directory registers the network basic input/output system (NetBIOS) computer name. Active Directory also permits the Network Service or the Local System account to use Kerberos.
By default, the NTAuthenticationProviders metabase property is not defined when you install IIS 6.0. IIS 6.0 uses the Negotiate, NTLM parameter when the NTAuthenticationProviders metabase property is not defined. Therefore, you do not have to configure IIS to use the Negotiate,NTLM property value unless the default value has been overwritten
we recommend to use NTLM only, anyway this can be change by running
adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "Negotiate,NTLM"
or deleted completely by
adsutil.vbs delete w3svc/WebSite/root/NTAuthenticationProviders
| < Prev | Next > |
|---|