IIS Windows Authentication 401 UnAuthorized

3
votes

I've a sub-application that I want to use windows authentication. I want that login box pops up even in the domain when the person first reaches the page.

When I turn off Kernel-mode authentication, the login box pops up, but fails with error 401 Not Authorized after 3 login attempts. If I turn this on, It doesn't even asks for the password,I believe this is due the computer is in the servers domain and the credentials are passed automatically.

Is there any possibility to show login form for all users, including domain users?

In the image below are my server configs.

Windows Auth Configs

2
asp.netauthenticationiiswindows-authentication
Try removing NTLM from providers.SANM2009

2 Answers

3
votes

Windows Authentication is normally handled by IIS. This is the way it works:

  1. Client requests the page.
  2. IIS returns a HTTP 401 response, with a header saying that it accepts Windows auth.
  3. The client's browser automatically resends the request with the users credentials (as long as the site is trusted).
  4. IIS verifies the user and passes the credentials to the application.

This is all designed to be seamless.

If you want the user to be prompted for credentials all the time, then either:

  1. Make sure your site is not trusted (not in the Internet Options Trusted Sites or Intranet Sites). But you may not be able to do that.
  2. Don't use Windows authentication. Uses Forms authentication and make a login page where the users can enter their credentials. But that means that you will have to verify the credentials against Windows or Active Directory yourself in your code.

If you use #2, then also make sure to use SSL on your site since passwords will be sent in plain text.

0
votes

You can use Basic authentication. It will prompt the user for credentials and once entered, it will give you a seamless experience.

However, the disadvantage with basic auth is that it sends the password in plain text to the server. You can use SSL certificate to encrypt this information.