windows authentication not working in ie7

13
votes

Really need help with this and tried lots of things and run out of ideas.

I have a site hosted on an internal development server, accessible for staff internally.

the server setup is windows 2008 R2, iis 7.5 sql 2008 express. Im authenticating using active directory.

in Chrome the site loads, and automatically logs me in recognising my name.

When viewing the site in IE7 the response is: "401 - Unauthorized: Access is denied due to invalid credentials. You do not have permission to view this directory or page using the credentials that you supplied."

I have tried the following:

  • in iis set only windows authentication to enabled (the rest disabled)
  • Moved NTLM to the top of the providers list
  • given full control to the web directory to Everyone/IUSR/Network Service/DeafultAppPool ...list goes on.
  • checked ie settings (enable integrated windows authentication is checked)
  • user authentication in IE7 is set to "automatic logon only in intranet zone".
  • set the following in web.config:
    • <anonymousIdentification enabled="false" />
    • <authentication mode="Windows" />
    • <identity impersonate="false" />
  • Executed: cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

im convinced its not a browser setting as im authenticated against AD when i access the intranet in IE7.

what is wrong? how can i fix it?

Many thanks

3
active-directoryinternet-explorer-7iis-7.5windows-authentication
Curious. In IE go to Tools|Internet Options|Security(tab) and select Intranet Zone and Custom Level. Scroll to the bottom of the Security Settings window and first select "Automatic Login with current username and password". Save and see if you still get the 401. If that doesn't work then try the "Prompt for username and password". Try that. Also verify the Intranet icon is displaying on the bottom right status of the browser. Sometimes this behavior is due to the host.domain not configured in the Trusted Sites Tab.JimSTAT
@raklos This is how a would troubleshoot the problem. Download wireshark. Capture the network traffic between Chrome and IIS and see how the authentication works. Capture the network traffic between IE and IIS and see how it fails.Harvey Kwok

3 Answers

20
votes

From the technet article, http://technet.microsoft.com/en-us/library/cc754628(v=ws.10).aspx :

The default setting for Windows authentication is Negotiate. This setting means that the client can select the appropriate security support provider. To force NTLM authentication, you must change the value of the element under the element in the ApplicationHost.config file.

IE is using Kerberos and not falling back on NTLM like Chrome and Firefox. You must force NTLM authentication in IIS7.5 by following these steps:

  1. Select your site.
  2. Double click authentication.
  3. Select "Windows Authentication" (ensuring that it is enabled).
  4. Click "Providers..." in the right hand column.
  5. Select NTLM and click "Move Up".

enter image description here

5
votes

Had such problems with one of web-apps in similar environment. It turned out that IE was trying to authentificate using Kerberos, while Kerberos was turned off in IIS authentification settings. Chrome is falling to NTLM after failing to go Kerberos, so in Chrome web-app worked fine.

The solution is fairly trivial.

1. Open IIS manager
2. Open "Authentification" node
3. Right click on 'Windows Authentification' item.
4. Select "Advanced settings" in context menu.
5. Switch off kernel mode (it's not compartible with Kerberos provider.)
6. Repeat p.1-3.
7. Select "Providers..." in context menu
8. Add Kerberos to enabled providers list
9. Restart IIS
1
votes

I had the same problem with Windows authentication with impersonation on windows 2008 R2 iis 7.5. I followed the other 2 solutions here without any success. But after applying these changes, I Switched Back On kernel mode again and it worked. I don't know why it works, but have followed this procedure on 2 separate virtual directories with success.